Dutch NCSC: Turn off Citrix ADC and Gateway servers NOW as mitigation measures are not effective

Citrix expects to release permanent patches for the critical security flaw by the end of January - despite being informed of it more than three months ago

The Dutch National Cyber Security Centre (NCSC) has advised organisations running Citrix ADC and Gateway servers to shut down their machines until Citrix releases a fully working patch for CVE-2019-19781 vulnerability.

"If the impact of switching off the Citrix ADC and Gateway servers is not acceptable, the advice is to closely monitor for possible abuse," reads a translation of NCSC advisory on its website.

"As a last risk-limiting measure you can still look at whitelisting of specific IP addresses or IP blocks," it added.

https://twitter.com/nemesis09/status/1217929721096425473?ref\\_src=twsrc%5Etfw

The advisory from the Dutch NCSC comes following Citrix's admission that its mitigation measures for CVE-2019-19781 are unable to provide security against exploits on some installations running older firmware.

The company revealed that Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31 are vulnerable as the bug "affects responder and rewrite policies bound to VPN virtual servers causing them not to process the packets that matched policy rules."

In this case, Citrix recommends customers to first update their product to an unaffected build and then apply the mitigation steps.

Citrix also said that after detailed analysis of the security vulnerability, it found that it also impacts the Wan Optimisation (WANOP) edition of the Citrix SD-WAN appliance (models 4000, 4100, 5000, and 5100 all supported builds).

CVE-2019-19781, which has severity score of 9.8 out of 10, was discovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies.

The issue impacts Citrix Application Delivery Controller (earlier known as NetScaler ADC) and Citrix Gateway (formerly NetScaler Gateway) and could allow attackers to execute arbitrary code on vulnerable machines via directory traversal, without requiring authentication.

Security researchers warned that threat actors were scanning for vulnerable appliances and had also started exploiting the flaw.

https://twitter.com/bad\\_packets/status/1216634986494738432?ref\\_src=twsrc%5Etfw

In an update on its website, Citrix said that it was working to develop permanent fixes for the vulnerability and expects to release them before the end of January.

As per Citrix, permanent fixes for all supported versions could be released on dates as given below:

Citrix ADC and Citrix Gateway 13.0 -- 27 ^th January 2020
Citrix ADC and NetScaler Gateway 12.1 -- 27 ^th January 2020
Citrix ADC and NetScaler Gateway 12.0 -- 20 ^th January 2020
Citrix ADC and NetScaler Gateway 11.1 -- 20 ^th January 2020
Citrix NetScaler ADC and NetScaler Gateway 10.5 -- 31 ^st January 2020

"As with any product of this nature, and consistent with our policies and procedures, these fixes need to be comprehensive and thoroughly tested," the company said in an online post.

Last week, security researchers published two proof-of-concept (PoC) exploit codes for the vulnerability on GitHub.

These PoCs are expected to lower the bar to attack even further for organisations running vulnerable systems.