Citrix ships patches as vulnerable servers come under attack
Citrix has issued its first set of patches fixing a nasty vulnerability that’s been hanging over some of its biggest products.
The flaw, identified as CVE-2019-19781 on 17 December 2019, affected Citrix’s Application Delivery Controller (ADC) load and application balancer, and the Citrix Gateway Virtual Private Network (VPN) appliance (previously known as the NetScaler ADC or NetScaler Gateway).
Citrix was vague about what the flaw might allow an attacker to do beyond saying that it “could allow an unauthenticated attacker to perform arbitrary code execution.”
However, it’s been clear from the start that it was serious, an impression reinforced by speculation (based on analysis of Citrix’s proposed mitigations) that the issue allows directory traversal, that is offering attackers a way to access to restricted directories without having to authenticate.
That’s potentially disastrous – the Citrix Gateway, for example, is used to enable VPN remote access so an attacker able to crawl into a network through that route could exploit that in numerous horrible ways.