Skip to main content

Citrix finally patches major security flaw

(Image credit: Image Credit: Wright Studio / Shutterstock)

The recently discovered dangerous vulnerability in Citrix’s ADC software has finally been patched, with the company urging everyone using its platform to update immediately.

The vulnerability, known as CVE-2019-19781, was discovered in December last year by Positive Technologies' Mikhail Klyuchnikov. Back then, there was no patch, and as soon as word came out, it was discovered that hackers started scanning the net for vulnerable Citrix instances.

Citrix responded quickly with mitigation steps, until a fix was made available.

The critical path traversal vulnerability was said to be dangerous and allowed hackers to launch arbitrary code execution without the need to be authenticated first. When the vulnerability was first found, some 80,000 businesses across 160 countries were using the software.

"The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V, KVM, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX)," the company says.

"Further investigation by Citrix has shown that this issue also affects certain deployments of Citrix SDWAN, specifically Citrix SDWAN WANOP edition. Citrix SDWAN WANOP edition packages Citrix ADC as a load balancer thus resulting in the affected status."

The fixes apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX), the company added.

There is no need to update SVM on SDX.

"It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes."

You can find the patches for versions 12 and 11.1 here and here