On December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild.
The vulnerability affects the following appliances:
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 – all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 – all supported builds before 11.1.63.15
- Citrix ADC and NetScaler Gateway version 12.0 – all supported builds before 12.0.63.13
- Citrix ADC and NetScaler Gateway version 12.1 – all supported builds
- Citrix ADC and Citrix Gateway version 13.0 – all supported builds
- Citrix SD-WAN WANOP firmware and appliance models 4000, 4100, 5000, and 5100 – all supported builds. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).
CISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP once the appropriate firmware updates become available.
The fixed builds can be downloaded from Citrix Downloads pages for Citrix ADC and Citrix Gateway.
Until the appropriate update is accessible, users and administrators should apply Citrix’s interim mitigation steps for CVE-2019-19781. Verify the successful application of the above mitigations by using the tool in CTX269180 – CVE-2019-19781 – Verification ToolTest.
Note: these mitigation steps apply to Citrix ADC and SD-WAN WANOP deployments.
Refer to table 1 for Citrix’s planned fix schedule.
Table 1. Fix schedule for Citrix appliances vulnerable to CVE-2019-19781
| Vulnerable Appliance | Firmware Update | Release Date |
| Citrix ADC and Citrix Gateway version 10.5 | Refresh Build 10.5.70.x | January 24, 2020 (Expected) |
| Citrix ADC and Citrix Gateway version 11.1 | Refresh Build 11.1.63.15 | January 19, 2020 |
| Citrix ADC and Citrix Gateway version 12.0 | Refresh Build 12.0.63.13 | January 19, 2020 |
| Citrix ADC and Citrix Gateway version 12.1 | Refresh Build 12.1.55.x | January 24, 2020 (Expected) |
| Citrix ADC and Citrix Gateway version 13.0 | Refresh Build 13.0.47.x | January 24, 2020 (Expected) |
| Citrix SD-WAN WANOP Release 10.2.6 | Citrix ADC Release 11.1.51.615 | January 24, 2020 (Expected) |
| Citrix SD-WAN WANOP Release 11.0.3 | Citrix ADC Release 11.1.51.615 | January 24, 2020 (Expected) |
Administrators should review NSA’s Citrix Advisory for other mitigations, such as applying the following defense-in-depth strategy:
“Consider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible Citrix ADC and Citrix Gateway appliances to require user authentication for the VPN before being able to reach these appliances. Use of a proprietary SSLVPN/TLSVPN is discouraged.”
See the only Tech and SD-WAN vendors that matter at the ITEXPO #TECHSUPERSHOW.
36 companies make this the largest number of SD-WAN companies anywhere.
Join others with $8.5B+ in IT buying power who plan 2020 budgets! Including 3,000+ resellers!
A unique experience with a collocated SD-WAN Expo, AIOps Expo and MSP Expo…
Come to the Digital Transformation Event! Feb 12-14, 2020, Fort Lauderdale, FL. Register now.
See these SD-WAN vendors and more – including Exclusive Diamond Sponsor: Frontier Business.
| IBM | Oracle |
| Singtel | Ooma |
| Intelisys | Comcast Business |
| HughesON | Windstream Enterprise |
| Adaptiv Networks | Jenne |
| Fujitsu | Telarus |
| 128 Technology | SureNET |
| AT&T | Sprint |
| RocketBroadband | Mach Networks |
| Tech Data | Aryaka |
| Martello | Inseego |
| Tallac | Granite Telecommunications |
| Airespring | Itrinegy |
| CloudGenix | BEC Technologies |
| EnTelegent Solutions | PCCW |
| Vonage | 8×8 |
| Avaya | Expereo |
| Mach Networks |
