Citrix has released patches for all of the versions of its Application Delivery Controller and Gateway that are affected by the nasty directory traversal vulnerability disclosed last month.
The flaw affects a wide range of Citrix products, including several versions of its ADC and Gateway appliances, as well as its SD-WAN WANOP boxes. Researchers discovered the vulnerability in December and disclosed it to Citrix, which published an advisory on Dec. 17. However, it took the company several weeks to build, test, and release the patches for all of the vulnerable products and this week has seen the rollout of those fixes.
The vulnerability is a directory traversal bug that can lead to remote code execution by an unauthenticated attacker in some cases. There have been reports of active attacks against the vulnerability and there are several public exploits available for the bug, so Citrix officials and security researchers are urging enterprises to install the patches as soon as possible. Citrix also released a free tool developed in conjunction with FireEye Mandiant that scans affected appliances for indicators of compromise by the known exploits.
“In addition to immediately installing these fixes, we encourage all customers to use the free Indicator of Compromise Scanning tool that we teamed up with FireEye Mandiant to launch this week. This tool is available under the Apache 2.0 open source license, and provides customers with increased awareness of potential compromise related to the CVE-2019-19781 vulnerability on their systems. The tool is designed to allow customers to run it locally on their Citrix instances and receive a rapid assessment of potential Indicators of Compromise based on known attacks and exploits,” Citrix CISO Fermin J. Serna said.
Earlier this week, Citrix released patches for versions 11.1 and 12.0 of the ADC and Gateway, and on Thursday permanent fixes for versions 12.1 and 13.0 became available. Version 10.5 was set to be patched on Jan. 24.
On Thursday, security researchers began reporting exploitation of the Ctrix bug (CVE-2019-19781) as part of targeted ransomware infections in Windows networks.
“Very tactical preliminary update. It appears an actor is using CVE-2019-19781 for initial access, and other vulnerabilities to pivot into a Windows environment in order to deploy ransomware. If you haven't already begun mitigating, you really need to consider the ramifications,” Andrew Thompson of FireEye said on Twitter.