Citrix has disclosed a severe bug in its Citrix Application Delivery Controller (ADC), which is used by at least 80,000 organizations. And for now, there’s no patch available.
According to Citrix, the bug could allow an attacker to perform arbitrary code execution even without proper authentication.
Admins may also know the affected product as NetScaler ADC, Citrix Gateway or NetScaler Gateway. The bug has been tagged with the identifier CVE-2019-19781.
SEE: 10 tips for new cybersecurity pros (free PDF)
Given the Christmas holidays, Citrix’s disclosure could be bad timing for enterprise IT admins charged with managing Citrix-powered equipment, which is widely used in enterprise networks across the US, UK, and Australia.
Unfortunately for customers, the US virtualization company doesn’t have a patch but it does have a recommended mitigation that can be implemented until a firmware fix arrives.
“Citrix strongly urges affected customers to immediately apply the provided mitigation. Customers should then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware when released,” Citrix noted in an advisory.
It’s also encouraging admins to subscribe to its bulletin alerts to know when the new firmware is ready. Citrix’s mitigation instructions are available here.
The bug was reported by Mikhail Klyuchnikov, a researcher at UK security firm Positive Technologies, which published its bug report on Monday.
Klyuchnikov says the bug affects 80,000 companies in 158 countries and could allow a remote attacker to compromise an internal network within a minute.
“If that vulnerability is exploited, attackers obtain direct access to the company’s local network from the Internet. This attack does not require access to any accounts, and therefore can be performed by any external attacker,” Positive Technologies noted.
SEE: Citrix adds intelligent, personalized features to Workspace
Citrix hasn’t assigned the bug with a severity score, but Positive Technologies reckons it warrants a severity rating of 10 out of 10.
“This vulnerability affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5,” the security firm notes.