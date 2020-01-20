advertisement

The recently discovered dangerous vulnerability in Citrix ADC software has finally been fixed. The company urges everyone who uses its platform to update immediately.

The vulnerability, known as CVE-2019-19781, was discovered by Positive Technologies’ Mikhail Klyuchnikov in December last year. There was no patch at the time, and when the news came out, it emerged that hackers were scanning the web for vulnerable Citrix instances.

Citrix responded quickly with remedial measures until a fix was made available.

The critical path traversal vulnerability has been classified as dangerous and has allowed hackers to start running arbitrary code without prior authentication. When the vulnerability was first discovered, around 80,000 companies in 160 countries used the software.

“The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) that are based on Citrix Hypervisor (formerly XenServer), ESX, Hyper-V, KVM, Azure, AWS, GCP, or a Citrix ADC Service Delivery Appliance (SDX) “says the company.

“Further research by Citrix has shown that this problem also affects certain deployments of Citrix SDWAN, in particular the Citrix SDWAN WANOP Edition. The Citrix SDWAN WANOP Edition packs Citrix ADC as a load balancer and thus leads to the affected status.”

The fixes apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP, or a Citrix ADC service delivery appliance (SDX).

There is no need to upgrade SVM to SDX.

“It is necessary to update all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to create 11.1.63.15 to install the vulnerability fixes. It is required to update all Citrix ADC and Citrix Gateway 12.0 Instances (MPX or VPX) to upgrade to build 12.0.63.13 to install the vulnerability fixes. “

The patches for versions 12 and 11.1 can be found here and here.

