Citrix urges customers to apply mitigation steps for CVE-2019-1978, a remote code execution vulnerability exploitable through specially crafted HTTP requests to vulnerable devices.
Background
Citrix has released an advisory for CVE-2019-1978, a vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway that could allow an unauthenticated attacker to execute code on the affected devices. Users are encouraged to apply the provided mitigation steps as quickly as possible.
Analysis
While Citrix does not detail the exact nature of the vulnerability in the advisory, the recommended mitigation steps seem to block HTTP based VPN requests with additional components that could potentially contain code. This implies that there is unsanitized code in the VPN handler for these devices. The mitigation, therefore checks for incoming HTTP-based VPN requests, and sends a 403 FORBIDDEN response whenever requests with the exploit format are detected.
According to Citrix, the following devices are identified as vulnerable:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Solution
Depending on an organization's device setup, mitigation options are listed for each Citrix device configuration to mitigate this vulnerability. Citrix has stated that an update will be available at a later date, at which time users can remove the mitigation and upgrade.
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.