Patch now: Published Citrix applications leave networks of 'potentially 80,000' firms at risk from attackers
Unauthorised users able to perform 'arbitrary code execution'
A critical vulnerability found in Citrix Application Delivery Controller and Citrix Gateway (formerly known as Netscaler ADC and Netscaler Gateway) means businesses with apps published using these technologies may be exposing their internal network to unauthorised access.
Citrix (NetScaler) ADC is a load balancer and monitoring tech, while Unified Gateway provides remote access to internal applications. This can include desktop applications as well as intranet or web applications. "Any application on any device from any location" is the marketing pitch.
On 17 December, Citrix published an advisory stating that a vulnerability in these services "could allow an unauthenticated attacker to perform arbitrary code execution."
According to Positive Technologies, the security company which discovered the flaw, no account details are required. Positive says the "first vulnerable version of the software was released in 2014", and estimates that "at least 80,000 companies in 158 countries are potentially at risk."
Since the whole idea of this technology is to enable remote access to internal applications, arbitrary code execution could give the attacker access to the internal network, making it a particularly critical flaw.
Citrix has published mitigation steps which block certain SSL VPN requests, suggesting that this area is where the flaw lies. This is a mitigation rather than a complete fix. An SSL VPN is a secure tunnel into a remote network which uses the SSL protocol.
The affected versions of Citrix ADC and Unified Gateway include 10.5, 11.1, 12.0, 12.1 and 13.0.
The problem has been assigned the ID CVE-2019-19781 and details will be available at this link when published.
Citrix said it is "notifying customers and channel partners about this potential security issue."
Administrators are advised to apply the mitigation immediately. A full software fix will be made available in due course. ®