Jakub Jirsák - stock.adobe.com

Citrix NetScaler vulnerabilities won’t be patched until end of January

Some vulnerabilities identified in Citrix products will not be fully patched until the end of January 2020

Cloud and virtualisation technology supplier Citrix has said that serious vulnerabilities in its NetScaler application delivery controller (ADC) and gateway products will not be fully patched until the end of January.

The critical vulnerabilities were uncovered by Mikhail Klyuchnikov of Positive Technologies and disclosed before Christmas 2019. The vulnerabilities give attackers the ability to perform arbitrary direct access to an organisation’s local network from the public internet, without needing access to any accounts.

Positive Technologies said it had determined more than 80,000 organisations in 159 countries were at risk, including many in the UK.

Further research by Bad Packets revealed nearly 10,000 Citrix servers at risk in the US, over 2,500 in Germany, around 2,000 in the UK, and over 1,100 in Australia and Switzerland.

Troy Mursch, a researcher at Bad Packets, said in a blog post that further exploitation of the vulnerability could be used by threat actors for a number of different purposes, including spreading ransomware and installing cryptominers. Multiple compromised servers could also be weaponised and turned into components of a distributed denial of service (DDoS) attack.

Other security researchers have revealed that scanning activity targeting vulnerable Citrix servers has dramatically increased in the past few weeks, although this is not necessarily evidence of compromise. TripWire’s Craig Young revealed his scans had shown more than 140 domains ending in .gov were at risk, and over 350 containing .gov, predominantly in the UK and Australia.

In an update, Citrix’s Fermin Serna said: “We immediately started our security response process that involves, among other actions, variant analysis and mitigation development. Due to the increased risk of vulnerability leaks and the potential for an uncoordinated disclosure, we published a security advisory with detailed mitigations.

“These mitigations cover all supported versions and contain detailed steps designed to stop a potential attack across all known scenarios. We are currently working to develop permanent fixes. As with any product of this nature, and consistent with our policies and procedures, these fixes need to be comprehensive and thoroughly tested.”

Citrix now anticipates making a full patch available for the most recent versions of the products available beginning on 20 January for versions 11.1 and 12, 27 January for versions 12.1 and 13, and 31 January for version 10.5.

“At Citrix, the security of our products, services, and corporate environment is paramount. We take product and service vulnerabilities very seriously and commit significant resources to protect our customers, employing robust security policies and procedures to ensure that we detect and respond effectively to vulnerabilities and incidents and minimise their impact,” said Serna.

TripWire’s Young urged those at risk to take advantage of Citrix’s mitigation steps. “It is alarming that so many organisations are currently at risk in such a sensitive part of their organisation. Each one of these devices is an opportunity for criminals or spies to gain access to restricted networks and impersonate authorised users,” he wrote.

Positive Technologies’ security audit department director, Dmitry Serebryannikov, said: “We want to point out that the vendor responded very promptly, by creating and releasing a set of risk mitigation measures within just a couple of weeks after the vulnerability was discovered. From our experience, we know that in many cases it can take months.”

Read more about Citrix

Read more on IT risk management