{"id":16292,"date":"2020-01-20T17:36:08","date_gmt":"2020-01-20T22:36:08","guid":{"rendered":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/?p=16292"},"modified":"2022-10-14T18:26:58","modified_gmt":"2022-10-14T22:26:58","slug":"update-citrix-sd-wan-asap","status":"publish","type":"post","link":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/sd-wan\/update-citrix-sd-wan-asap.html","title":{"rendered":"Update Citrix SD-WAN ASAP"},"content":{"rendered":"\n<p>On December 17, 2019, <a href=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/?s=Citrix+\">Citrix <\/a>reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild.<\/p>\n\n\n\n<p>The vulnerability affects the following appliances:<\/p>\n\n\n\n<ul><li>Citrix NetScaler ADC and NetScaler Gateway version 10.5 \u2013 all supported builds<\/li><li>Citrix ADC and NetScaler Gateway version 11.1 \u2013 all supported builds before 11.1.63.15<\/li><li>Citrix ADC and NetScaler Gateway version 12.0 \u2013 all supported builds before 12.0.63.13<\/li><li>Citrix ADC and NetScaler Gateway version 12.1 \u2013 all supported builds<\/li><li>Citrix ADC and Citrix Gateway version 13.0 \u2013 all supported builds<\/li><li>Citrix SD-WAN WANOP firmware and appliance models 4000, 4100, 5000, and 5100 \u2013 all supported builds. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).<\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/www.cisa.gov\/\">CISA <\/a>strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP once the appropriate firmware updates become available.<\/p>\n\n\n\n<p>The fixed builds can be downloaded from Citrix Downloads pages for <a href=\"https:\/\/www.citrix.com\/downloads\/citrix-adc\/\">Citrix ADC<\/a> and <a href=\"https:\/\/www.citrix.com\/downloads\/citrix-gateway\/\">Citrix Gateway<\/a>.<\/p>\n\n\n\n<p>Until the appropriate update is accessible, users and administrators should apply Citrix\u2019s interim mitigation steps for CVE-2019-19781. Verify the successful application of the above mitigations by using the tool in <a href=\"https:\/\/support.citrix.com\/article\/CTX269180\">CTX269180 \u2013 CVE-2019-19781 \u2013 Verification ToolTest<\/a>.<\/p>\n\n\n\n<p><strong>Note:<\/strong> these mitigation steps apply to Citrix ADC and SD-WAN WANOP deployments.<\/p>\n\n\n\n<p>Refer to table 1 for Citrix\u2019s planned fix schedule.<\/p>\n\n\n\n<p><strong>Table 1. Fix schedule for Citrix appliances vulnerable to\nCVE-2019-19781<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"\"><thead><tr><td>\n   <strong>Vulnerable Appliance<\/strong><strong><\/strong>\n   <\/td><td>\n   <strong>Firmware Update<\/strong><strong><\/strong>\n   <\/td><td>\n   <strong>Release Date<\/strong><strong><\/strong>\n   <\/td><\/tr><tr><td>    Citrix ADC and Citrix Gateway version 10.5    <\/td><td>    Refresh Build 10.5.70.x    <\/td><td>    January 24, 2020 (Expected)    <\/td><\/tr><tr><td>    Citrix ADC and Citrix Gateway version 11.1    <\/td><td>    Refresh Build 11.1.63.15    <\/td><td>    January 19, 2020    <\/td><\/tr><tr><td>    Citrix ADC and Citrix Gateway version 12.0    <\/td><td>    Refresh Build 12.0.63.13    <\/td><td>    January 19, 2020    <\/td><\/tr><tr><td>    Citrix ADC and Citrix Gateway version 12.1    <\/td><td>    Refresh Build 12.1.55.x    <\/td><td>    January 24, 2020 (Expected)    <\/td><\/tr><tr><td>    Citrix ADC and Citrix Gateway version 13.0    <\/td><td>    Refresh Build 13.0.47.x    <\/td><td>    January 24, 2020 (Expected)    <\/td><\/tr><tr><td>    Citrix SD-WAN WANOP Release 10.2.6    <\/td><td>\n   Citrix\n   ADC Release 11.1.51.615\n   <\/td><td>    January 24, 2020 (Expected)    <\/td><\/tr><tr><td>    Citrix SD-WAN WANOP Release 11.0.3    <\/td><td>    Citrix ADC Release 11.1.51.615    <\/td><td>    January 24, 2020 (Expected)    <\/td><\/tr><\/thead><\/table><\/figure>\n\n\n\n<p>Administrators should review NSA\u2019s <a href=\"https:\/\/media.defense.gov\/2020\/Jan\/10\/2002233132\/-1\/-1\/0\/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF\">Citrix\nAdvisory<\/a> for other mitigations, such as applying the following\ndefense-in-depth strategy:<\/p>\n\n\n\n<p>\u201cConsider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible Citrix ADC and Citrix Gateway appliances to require user authentication for the VPN before being able to reach these appliances. Use of a proprietary SSLVPN\/TLSVPN is discouraged.\u201d<\/p>\n\n\n\n<p><strong>See the only Tech and SD-WAN vendors that&nbsp;<a href=\"https:\/\/www.itexpo.com\/east\/exhibitor-list.aspx\">matter&nbsp;<\/a>at the&nbsp;<\/strong><a href=\"http:\/\/www.itexpo.com\/\"><strong>ITEXPO<\/strong><\/a><strong>&nbsp;#TECHSUPERSHOW.<\/strong><\/p>\n\n\n\n<p>36 companies&nbsp;make this the largest number of SD-WAN companies anywhere.<\/p>\n\n\n\n<p><strong>Join others with $8.5B+ in IT buying power who plan 2020 budgets! Including 3,000+ resellers!<\/strong><\/p>\n\n\n\n<p>A unique experience with a collocated&nbsp;<a href=\"http:\/\/www.sdwanexpo.com\/\"><strong>SD-WAN Expo<\/strong><\/a>,&nbsp;<a href=\"https:\/\/www.aiopsexpo.com\/\">AIOps Expo<\/a>&nbsp;and&nbsp;<a href=\"http:\/\/www.mspexpo.com\/\"><strong>MSP Expo<\/strong><\/a>\u2026<\/p>\n\n\n\n<p>Come to the Digital Transformation Event! Feb 12-14, 2020, Fort Lauderdale, FL.&nbsp;<a href=\"https:\/\/www.itexpo.com\/east\/registration.aspx\">Register now<\/a>.<\/p>\n\n\n\n<p>See these SD-WAN vendors and&nbsp;<a href=\"https:\/\/www.itexpo.com\/east\/exhibitor-list.aspx\">more<\/a>&nbsp;\u2013 including&nbsp;<strong>Exclusive&nbsp;<\/strong>Diamond Sponsor:&nbsp;<strong>Frontier Business<\/strong>.<br><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"\"><tbody><tr><td>IBM<\/td><td><a href=\"https:\/\/www.talari.com\/\">Oracle<\/a><\/td><\/tr><tr><td>Singtel<\/td><td>Ooma<\/td><\/tr><tr><td>Intelisys<\/td><td>Comcast Business<\/td><\/tr><tr><td>HughesON<\/td><td>Windstream Enterprise<\/td><\/tr><tr><td>Adaptiv Networks<\/td><td>Jenne<\/td><\/tr><tr><td>Fujitsu<\/td><td>Telarus<\/td><\/tr><tr><td>128 Technology<\/td><td>SureNET<\/td><\/tr><tr><td>AT&amp;T<\/td><td>Sprint<\/td><\/tr><tr><td>RocketBroadband<\/td><td>Mach Networks<\/td><\/tr><tr><td>Tech Data<\/td><td>Aryaka<\/td><\/tr><tr><td>Martello<\/td><td>Inseego<\/td><\/tr><tr><td>Tallac<\/td><td><a href=\"http:\/\/www.granitenet.com\/\">Granite Telecommunications<\/a><\/td><\/tr><tr><td>Airespring<\/td><td><a href=\"https:\/\/itrinegy.com\/\">Itrinegy<\/a><\/td><\/tr><tr><td><a href=\"https:\/\/www.linkedin.com\/posts\/richtehrani_techsupershow-activity-6616027007140548608-8jZs\">CloudGenix<\/a><\/td><td>BEC Technologies<\/td><\/tr><tr><td>EnTelegent Solutions<\/td><td>PCCW<\/td><\/tr><tr><td>Vonage<\/td><td>8\u00d78<\/td><\/tr><tr><td>Avaya<\/td><td>Expereo<\/td><\/tr><tr><td>Mach Networks<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"640\" src=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2019\/11\/itexpo-techsupershow-2019.jpg\" alt=\"\" class=\"wp-image-15557\" srcset=\"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2019\/11\/itexpo-techsupershow-2019.jpg 1000w, https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-content\/uploads\/2019\/11\/itexpo-techsupershow-2019-768x492.jpg 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>On December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild. The vulnerability affects the following appliances: Citrix NetScaler ADC and NetScaler Gateway version 10.5 \u2013 all supported builds Citrix ADC and NetScaler Gateway version<\/p>\n","protected":false},"author":44,"featured_media":16293,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1829],"tags":[2676,2677,1590],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/16292"}],"collection":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/comments?post=16292"}],"version-history":[{"count":1,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/16292\/revisions"}],"predecessor-version":[{"id":16294,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/16292\/revisions\/16294"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media\/16293"}],"wp:attachment":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media?parent=16292"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/categories?post=16292"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/tags?post=16292"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}