In December of 2019, a vulnerability referred to as cve-2019-19781 was found in the Citrix Application Delivery Controller (Citrix ADC) and the Citrix Gateway.  These products were both formerly known under the NetScaler name.  This Vulnerability has been widely discussed in both the Citrix and Information Security communities.  According to NIST, the severity of this vulnerability is Critical.

What is CVE-2019-19781?

This particular CVE allows directory traversal in both the Citrix APD and Citrix Gateway products.  In this case, testing has also shown that code can be executed from the /vpns/ directory.  This is troublesome since any code an attacker puts in this directory could potentially be executed.

This allows attackers to access areas of the system they should not be able to access, allowing them to execute code they should not be able to.  To learn more about how a directory traversal works, be sure to take a look at this helpful article.

It impacts the following Citrix ADC/Citrix Gateway code lines:

  • 13.0
  • 12.1
  • 12.0
  • 11.1
  • 10.5

How Do I Fix CVE-2019-19781?

Citrix has not yet released source code that will fix these vulnerabilities, however they have created a KB with mitigation instructions for CVE-2019-19781.

If you are running one of these vulnerable code lines it is essential that you apply this fix for CVE-2019-19781.

It is important to note that after applying this fix that any resources in the /vpns/ directory will be blocked.

Updated code for software version 10.5 is estimated to be January 31, 2019.  Updated code for software versions 12.1 and 13 are estimated to be available January 27, 2019.  Update code for software versions 11.1 and 12 is estimated to be available January 20, 2019.

Why Isn’t There More Information on CVE-2019-19781?

If you look at resources about this CVE, you will notice that there is not a lot of information on how the vulnerability can be exploited.  While Citrix does mention they know the /vpns/ directory is vulnerable, there also may be other troubling aspects to this CVE.

Chances are Citrix does know much more than this about this vulnerability.  However, since there is not code available to fix it yet, both Citrix and security researchers are likely holding back information until all vulnerable systems have updated code available.

However, this has not stopped the progression of this Vulnerability.  A PoC exploit has recently been released, and the code is available on GitHub.  You can read more about this on ThreatPost.

Citrix Patch Management

Now is a good time to review your Citrix patch management procedures.  When a vulnerability like this comes out, it is important to have patch and change management procedures in place for a couple of reasons.

First of all, it will obviously be very important to update the code on these systems as soon as it is available to mitigate the risk from this CVE.

Next, implementing the current mitigation process is probably the most important thing organizations running the vulnerable code can do.  While this started out as a somewhat under the radar vulnerability, more and more information has come out as time goes on, culminating in the release of a working exploit.

CVE-2019-19781: The Bottom Line

The bottom line when it comes to CVE-2019-19781 is that you must implement Citrix’s recommended mitigation as soon as possible, and be ready to update the code on your Citirx ADC and Citrix Gateway devices as soon as it released.  If your organization is not already practicing incident response processes when it comes to Citrix, now is the time to get started.