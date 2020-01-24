Citrix launches APAC cloud management plane

Citrix has released a new round of security updates to resolve a critical vulnerability that exposes thousands of servers to code execution attacks.

The core vulnerability is CVE-2019-19781, a directory-transversal security error that can be exploited by malicious people to execute arbitrary code. The vulnerability has received a CVSS score of 9.8 – in other words, it cannot be much more serious.

Different versions of Citrix Application Delivery Controller (ADC) and Citrix Gateway, as well as Citrix SD-WAN WANOP, are affected.

In the latest set of fixes to stop server security holes, Citrix has now pushed patches for Citrix ADC and Citrix Gateway versions 12.1 and 13.0. IT administrators must ensure that their builds are upgraded to 12.1.55.18 and 13.0.47.24.

Two sets of security updates for other ADC and Gateway builds, Citrix ADC and Citrix Gateway versions 11.1 and 12.0 and Citrix SD-WAN 4000-WO, 5000-WO, 4100-WO and 5100-WO, were released earlier this week. (1, 2)

Fixes for ADC and Gateway can now be downloaded from the Citrix support website and must be applied as quickly as possible.

No patches were available at the time of disclosure on December 17; instead, the company published a mitigation guide as a temporary solution. Researchers estimate that up to 80,000 organizations in 158 countries may be susceptible to cyber attacks due to the bug.

A month passed and there was no solution, but Citrix has now started to roll out updates quickly, incited to further urgency because of two CVE-2019-19781 exploit codes that became public at the beginning of January, and an increase in scans for vulnerable servers take place.

It has also been reported that a hacking entity scans and patches Citrix servers – but it is more likely that a threat actor hoards them for nefarious purposes than a civilian white hat takes matters into its own hands.

Due to the seriousness of the problem, patches are available, regardless of maintenance contracts with Citrix. The company “urges” the immediate installation of the security updates.

The table below shows the available server patches and updated builds.

A free scan tool, developed by Citrix and FireEye Mandiant, is also available for IT administrators to check if their servers are vulnerable to misuse.

“Thanks to our customers and partners for your patience as we continue to develop solutions that fully address this vulnerability,” says Citrix. “Customer security remains a top priority for Citrix and we will continue to make every effort to ensure that all customers are supported.”

