- Researcher discovers a highly critical vulnerability that affects widely-used Citrix software products.
- The vulnerability takes only a minute to exploit and can lead to unlimited corporate network access.
- At least 80000 companies engaging in critical sectors are at risk of getting hacked.
Security expert Mikhail Klyuchnikov of Positive Technologies has discovered a critical vulnerability that affects the Citrix Application Delivery Controller and Citrix Gateway. As the researcher claims, the flaw can be exploited to enable an attacker to access local corporate networks remotely via arbitrary code execution, without requiring access to accounts or the knowledge of credentials. The identifier that was assigned to the particular vulnerability is CVE-2019-19781, and unofficially, it carries the highest level of criticality (10 on CVSS). As for the list of products that are affected, these are the following:
- Citrix ADC and Citrix Gateway 13.0
- Citrix ADC and NetScaler Gateway 12.1
- Citrix ADC and NetScaler Gateway 12.0
- Citrix ADC and NetScaler Gateway 11.1
- Citrix NetScaler ADC and NetScaler Gateway 10.5
The above products are used by approximately 80000 companies in 158 countries. The most significant targets that are in danger are IT, telecom, banking, fuel, retail, and manufacturing entities in the United States, UK, Germany, the Netherlands, and Australia. As the researcher points out, the particular vulnerability may have just been discovered, but it was there for about 5.5 years already, and a hacker would only need a minute to exploit it.
Citrix is informing its clients about the issue and is proposing a set of mitigation steps as there is no patch out yet. The risk prevention measures include the running of commands as those are given in full detail in the relevant support web page. Other than following the instructions that come directly from Citrix, you may also set your firewall to maximum security, conduct retrospective analysis, and also in-depth traffic analysis. Of course, applying patches when they become available goes without saying at this point, and there should be no delay on that part no matter the complexities that may accompany upgrades in general.
This discovery is not your average cyber-security news, as critical zero-days that affect such leading software products see the light once, maybe twice in a decade. Citrix products are used by many organizations, government bodies, and large companies out there, and its market share is expected to grow to a magnitude of $5 billion until 2023. From what we can deduce, this flaw was not being exploited in these past five years. However, we can’t rule out this possibility yet.