Mikhail Klyuchnikov, Positive Technologies expert, discovered a critical vulnerability in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway). If that vulnerability is exploited, attackers obtain direct access to the company’s local network from the Internet. This attack does not require access to any accounts and therefore can be performed by any external attacker.
Positive Technologies experts determined that at least 80,000 companies in 158 countries are potentially at risk. The top five countries with such organisations include the United States (the absolute leader, with over 38% of all vulnerable organisations), the UK, Germany, the Netherlands and Australia.
The discovered vulnerability was assigned identifier CVE-2019-19781. The vendor has not officially assigned a CVSS severity level to this vulnerability yet, but Positive Technologies experts believe it has the highest level, a 10. This vulnerability affects all supported versions of the product and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 and also Citrix NetScaler ADC and NetScaler Gateway 10.5.
“Citrix applications are widely used in corporate networks. This includes their use for providing terminal access of employees to internal company applications from any device via the Internet. Considering the high risk brought by the discovered vulnerability and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat,” says Dmitry Serebryannikov, Director of Security Audit Department, Positive Technologies. “On a separate note, we want to point out that the vendor responded very promptly, by creating and releasing a set of risk mitigation measures within just a couple of weeks after the vulnerability was discovered. From our experience, we know that in many cases it can take months.”