- Home
- Alerts & Advisories
- Alerts
- Critical Vulnerabilities in Citrix ADC, Citrix Gateway, Citrix SD-WAN
Alerts
Critical Vulnerabilities in Citrix ADC, Citrix Gateway, Citrix SD-WAN
14 January 2020
UPDATED 17 Apr 2020: Update on CVE-2019-11510. Refer to Recommendations for more details.
Background
Citrix Application Delivery Controller (ADC), Citrix Gateway and Citrix SD-WAN WANOP (CVE-2019-19781)
SingCERT has observed an increase in the number of scanning activities on Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP devices that are vulnerable to CVE-2019-19781. These devices are commonly used to terminate Secure Sockets Layer virtual private networks (VPN).
The vulnerability is a path traversal bug that can be exploited over the Internet. A successful exploitation would allow an unauthenticated hacker to send a tampered request along with the exploit code to execute on the device.
Pulse Secure Virtual Private Network (VPN) Vulnerability (CVE-2019-11510)
A critical arbitrary file read vulnerability, CVE-2019-11510, existing in Pulse Secure VPN was observed to be exploited widely. Unauthenticated attackers with network access via HTTPS are able to send a specially crafted Uniform Resource Identifier to exploit this vulnerability remotely.
Affected Products
CVE-2019-19781
• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
• Citrix SD-WAN WANOP software and appliance models 4000, 4100, 5000, and 5100 all supported builds
CVE-2019-11510
• Pulse Connect Secure version 9.0R1 to 9.0R3.3
• Pulse Connect Secure version 8.3R1 to 8.3R7
• Pulse Connect Secure version 8.2R1 to 8.2R12
Impact
Successful exploitation of the vulnerabilities could allow unauthenticated attackers to perform remote code execution, take control of the affected systems and gain a foothold inside the targeted networks to conduct further malicious activities. These include the creation of rogue administrator accounts, unauthorised installation of programs, and as well as viewing, changing, or deletion of data.
Recommendations
CVE-2019-19781
System administrators of affected products are strongly encouraged to perform the following:
• Upgrade Citrix ADC and Citrix Gateway versions 11.1 and 12.0 to builds 11.1.63.15 and 12.0.63.13 respectively immediately.
• Implement the mitigation steps provided by Citrix immediately to prevent further compromise for other versions.
• Upgrade to the latest version upon the release of the firmware updates for Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP. Users may subscribe to Citrix's bulletin alert at https://support.citrix.com/user/alerts to receive notification when the new firmware is available.
CVE-2019-11510
• Upgrade Pulse Connect Secure and Pulse Policy Secure server software to the latest version.
for more information on the software versions to deploy.
• System administrators are advised to change the password for all Active Directory accounts, including administrators and services account after deploying the update.
References
https://support.citrix.com/article/CTX267027
https://support.citrix.com/article/CTX267679
https://www.us-cert.gov/ncas/alerts/aa20-010a
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/