As you know, we announced a vulnerability and comprehensive mitigations on December 17 for certain versions of Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
We wanted to share some updates after further review:
- This vulnerability also affects certain deployments of two older versions of our Citrix SD-WAN WANOP product versions 10.2.6 and version 11.0.3. All other SD-WAN products are not impacted. These two specific versions of Citrix SD-WAN WANOP include Citrix ADC as a load balancer. Consequently, it is vulnerable if not mitigated. The published mitigations are effective for Citrix SD-WAN WANOP edition.
- Yesterday, we discovered, based on customer feedback, that the mitigation was failing on a specific build of ADC. In Citrix ADC and Citrix Gateway Release 12.1 build 50.28, an issue exists that affects responder and rewrite policies causing them to not process the packets that matched policy rules. Citrix recommends that customers update to the 12.1 build 50.28/50.31 or later for the mitigation steps to function as intended. Alternatively, apply the mitigation steps to the management interface as published in CTX267679. This will mitigate attacks, not just on the management interface, but on ALL interfaces including Gateway and AAA virtual IPs. Our testing and input from customers indicate that the mitigations are effective across all known scenarios if all steps are completed, including upgrading from 12.1 build 50.28 or, alternatively, applying the mitigation to the management interface. We certainly regret this oversight, and have updated CVE-2019-19781 to reflect this new information.
- I want to clarify a statement in my previous blog. I posted this tweet January 13 in an effort to clarify, and want to emphasize here again. We believe that a limited number of devices are exploitable through the management IP, but they could be directly affected through the VIP being an attack vector. I want to thank Joe Shonk for pointing this out. We have updated the previous blog accordingly.
- Finally, we are monitoring the comments about the mitigation and exploits not involving the directory traversal method. We investigated those that came to our attention, and we confirm that our mitigation is effective across all known scenarios. We welcome the community to continue testing our mitigation and to reach out to us at secure@citrix.com with any feedback.
We continue to encourage our customers to apply the mitigation following all documented steps and have increased our support staff to help customers apply the mitigation. And we look forward to the release of permanent fixes starting on Monday, January 20.