Citrix races out more patches to fix critical bug, plus a free detection tool

The detection tool however won’t detect all compromises.

Enterprise software vendor Citrix has rushed out another set of fixes for a vulnerability that’s currently under attack and was disclosed over a month ago. 

Citrix CISO Fermin Serna announced the security fixes affecting its Citrix SD-WAN WANOP devices for the vulnerability CVE-2019-19781 today, knocking over one of three product groups affected by the bug. 

The company has also teamed up with security vendor FireEye to develop a free and open source tool for detecting potential compromises on affected Citrix servers. 

The Citrix and FireEye tools are available on the companies’ GitHub pages, which they promise will do a “best effort job at identifying existing compromise” but won’t guarantee detection every time. 

The tools will be welcome to admins given that there are well over 10,000 vulnerable Citrix servers, which may well have been compromised before Citrix delivered its patches. The bug affects Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP. 

Citrix rolled out its first round of patches earlier this week for some versions of ADC (formerly known as NetScaler) and Citrix Gateway (formerly known as NetScaler Gateway.

As the first patches arrived Dutch security researcher Victor Gevers found there were still 14,564 vulnerable Citrix endpoints online

Citrix disclosed the bug CVE-2019-19781 on December 17 despite not having patches ready to go. 

FireEye researchers have found that one attacker is using the Citrix to flaw remove malware from infected NetScaler devices but then the attacker then installs a password-protected backdoor to prevent other attackers from exploiting the flaw. 

FireEye believes this work, carried out by an actor it calls NotRobin, could be laying the groundwork for a future cyberattack.  

Today’s patches should be applied immediately to Citrix SD-WAN WANOP and also require admins to upgrade these instances to to build 10.2.6b or 11.0.3b, according to Serna. 

“These fixes are only applicable to the SD-WAN 4000-WO, 5000-WO, 4100-WO, and 5100-WO platforms. All other SD-WAN PE and SD-WAN SE platforms are not impacted by this vulnerability and do not need to be patched,” wrote Serna

Citrix expects to release a final set of updates for this flaw on Friday to address the vulnerability in Citrix ADC and Gateway products for versions 12.1, 10.5, and 13.0. 


Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies