==================================================================== CERT-Renater Note d'Information No. 2019/VULN420 _____________________________________________________________________ DATE : 17/12/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Citrix NetScaler, Citrix NetScaler Gateway, Citrix ADC, Citrix Gateway. ===================================================================== https://support.citrix.com/article/CTX267027 _____________________________________________________________________ CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway Reference: CTX267027 Category : Critical Created : 17 Dec 2019 Modified : 17 Dec 2019 Applicable Products o NetScaler o NetScaler Gateway o Citrix ADC o Citrix Gateway Description of Problem A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. The vulnerability has been assigned the following CVE number: o CVE-2019-19781 : Vulnerability in Citrix Application Delivery Controller and Citrix Gateway leading to arbitrary code execution The vulnerability affects all supported product versions and all supported platforms: o Citrix ADC and Citrix Gateway version 13.0 all supported builds o Citrix ADC and NetScaler Gateway version 12.1 all supported builds o Citrix ADC and NetScaler Gateway version 12.0 all supported builds o Citrix ADC and NetScaler Gateway version 11.1 all supported builds o Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds What Customers Should Do Citrix strongly urges affected customers to immediately apply the provided mitigation. Customers should then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware when released. Subscribe to bulletin alerts at https://support.citrix.com/user/alerts to be notified when the new firmware is available. The following knowledge base article contains the steps to deploy a responder policy to mitigate the issue in the interim until a permanent fix is available: CTX267679-Mitigation steps for CVE-2019-19781 Acknowledgements Citrix thanks Mikhail Klyuchnikov of Positive Technologies, and Gianlorenzo Cipparrone and Miguel Gonzalez of Paddy Power Betfair plc for working with us to protect Citrix customers. Changelog +-------------------------------------+---------------------------------------+ |Date |Change | +-------------------------------------+---------------------------------------+ |17th December 2019 |Initial Publication | +-------------------------------------+---------------------------------------+ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================