NCSC Cyber Security Advisory CSA-2020-1439
Critical vulnerability in Citrix products
In late 2019, Citrix released security bulletin CTX267027 detailing a vulnerability (CVE-2019-19781) affecting the following products:
- Citrix Application Delivery Controller (NetScaler ADC) versions 10.5, 11.1, 12.0, 12.1 and 13.0.
- Citrix Gateway (NetScaler Gateway) versions 10.5, 11.1, 12.0, 12.1 and 13.0.
Citrix has rated the severity of this vulnerability as critical, noting it allows for arbitrary code execution in affected versions of Citrix products. Exploitation of this vulnerability could result in full remote compromise of the exposed server and potentially the wider network.
Although updated firmware is not yet available to fix the vulnerability, Citrix has released mitigation steps in a separate article, CTX267679.
The NCSC recommends organisations using the affected products apply the mitigations detailed in Citrix article CTX267679 as soon as possible. Once a fixed version of the firmware is released this should also be applied to all affected devices.
- Citrix security bulletin: https://support.citrix.com/article/CTX267027
- Citrix mitigation steps: https://support.citrix.com/article/CTX267679
- CVE-2019-19781: https://nvd.nist.gov/vuln/detail/CVE-2019-19781