CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
100.0%
Note: As of January 24, 2020, Citrix has released all expected updates in response to CVE-2019-19781.[1]
On January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0.
On January 22, 2020, Citrix released security updates for vulnerable SD-WAN WANOP appliances.
On January 23, 2020, Citrix released firmware updates for Citrix ADC and Gateway versions 12.1 and 13.0.
On January 24, 2020, Citrix released firmware updates for Citrix ADC and Gateway version 10.5.
A remote, unauthenticated attacker could exploit CVE-2019-19781 to perform arbitrary code execution.[2] This vulnerability has been detected in exploits in the wild.[3]
The Cybersecurity and Infrastructure Agency (CISA) strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible.
On December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild.
The vulnerability affects the following appliances:
Citrix and FireEye Mandiant released an IOC scanning tool for CVE-2019-19781 on January 22, 2020. The tool aids customers with detecting potential IOCs based on known attacks and exploits.[13]
See the National Security Agency’s Cybersecurity Advisory on CVE-2019-19781 for other detection measures.[14]
CISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781.[15] CISA encourages administrators to visit CISA’s GitHub page to download and run the tool.
CISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP as soon as possible.
The fixed builds can be downloaded from Citrix Downloads pages for Citrix ADC, Citrix Gateway, and Citrix SD-WAN.
Until the appropriate update is implemented, users and administrators should apply Citrix’s interim mitigation steps for CVE-2019-19781.[16] Verify the successful application of the above mitigations by using the tool in CTX269180 – CVE-2019-19781 – Verification ToolTest.** Note:** these mitigation steps apply to Citrix ADC and SD-WAN WANOP deployments.[17]
Refer to table 1 for Citrix’s fix schedule.[18]
Table 1. Fix schedule for Citrix appliances vulnerable to CVE-2019-19781
Vulnerable Appliance | Firmware Update | Release Date |
---|---|---|
Citrix ADC and Citrix Gateway version 10.5 | Refresh Build 10.5.70.12 | January 24, 2020 |
Citrix ADC and Citrix Gateway version 11.1 | Refresh Build 11.1.63.15 | January 19, 2020 |
Citrix ADC and Citrix Gateway version 12.0 | Refresh Build 12.0.63.13 | January 19, 2020 |
Citrix ADC and Citrix Gateway version 12.1 | Refresh Build 12.1.55.18 | January 23, 2020 |
Citrix ADC and Citrix Gateway version 13.0 | Refresh Build 13.0.47.24 | January 23, 2020 |
Citrix SD-WAN WANOP Release 10.2.6 | Build 10.2.6b | January 22, 2020 |
Citrix SD-WAN WANOP Release 11.0.3 | Build 11.0.3b | January 22, 2020 |
Administrators should review NSA’s Citrix Advisory for other mitigations, such as applying the following defense-in-depth strategy:
“Consider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible Citrix ADC and Citrix Gateway appliances to require user authentication for the VPN before being able to reach these appliances. Use of a proprietary SSLVPN/TLSVPN is discouraged.”
[1] Citrix blog: Citrix releases final fixes for CVE-2019-19781
[4] CERT/CC Vulnerability Note VU#619785
[5] CISA Current Activity: Citrix Application Delivery Controller and Citrix Gateway Vulnerability
[7] Citrix blog: Citrix provides update on Citrix ADC, Citrix Gateway vulnerability
[9] Citrix Blog: Vulnerability Update: First permanent fixes available, timeline accelerated
[10] Citrix Blog: Update on CVE-2019-19781: Fixes now available for Citrix SD-WAN WANOP
[11] Citrix Blog: Citrix and FireEye Mandiant share forensic tool for CVE-2019-19781
[12] Citrix Blog: Fixes now available for Citrix ADC, Citrix Gateway versions 12.1 and 13.0
[13] Citrix Blog: Citrix and FireEye Mandiant share forensic tool for CVE-2019-19781
[16] Citrix Security Bulletin CTX267679, Mitigation Steps for CVE-2019-19781
January 20, 2020: Initial Version|January 23, 2020: Updated with information about Citrix releasing fixes for SD-WAN WANOP appliances and an IOC scanning tool|January 24, 2020: Updated with information about Citrix releasing fixes for Citrix ADC and Gateway versions 10.5, 12.1, and 13.0|January 27, 2020: Updated vulnernable versions of ADC and Gateway version 10.5
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-020a
github.com/cisagov/check-cve-2019-19781
github.com/citrix/ioc-scanner-CVE-2019-19781/
media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF
media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF
media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF
media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF
media.defense.gov/2020/Jan/10/2002233132/-1/-1/0/CSA%20FOR%20CITRIXADCANDCITRIXGATEWAY_20200109.PDF
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
support.citrix.com/article/CTX267027
support.citrix.com/article/CTX267027
support.citrix.com/article/CTX267027
support.citrix.com/article/CTX267027
support.citrix.com/article/CTX267027
support.citrix.com/article/CTX267027
support.citrix.com/article/CTX267679
support.citrix.com/article/CTX267679
support.citrix.com/article/CTX269180
twitter.com/CISAgov
twitter.com/intent/tweet?text=Critical%20Vulnerability%20in%20Citrix%20Application%20Delivery%20Controller%2C%20Gateway%2C%20and%20SD-WAN%20WANOP%20+https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-020a
www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/
www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/
www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/
www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/
www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/
www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/
www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/
www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/
www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/
www.citrix.com/blogs/2020/01/22/update-on-cve-2019-19781-fixes-now-available-for-citrix-sd-wan-wanop/
www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/
www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/
www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/
www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/
www.citrix.com/downloads/citrix-adc/
www.citrix.com/downloads/citrix-gateway/
www.citrix.com/downloads/citrix-sd-wan/
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-020a&title=Critical%20Vulnerability%20in%20Citrix%20Application%20Delivery%20Controller%2C%20Gateway%2C%20and%20SD-WAN%20WANOP%20
www.instagram.com/cisagov
www.kb.cert.org/vuls/id/619785/
www.kb.cert.org/vuls/id/619785/
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-020a
www.ncsc.gov.uk/news/citrix-alert
www.ncsc.gov.uk/news/citrix-alert
www.oig.dhs.gov/
www.us-cert.gov/ncas/current-activity/2020/01/08/citrix-application-delivery-controller-and-citrix-gateway
www.us-cert.gov/ncas/current-activity/2020/01/08/citrix-application-delivery-controller-and-citrix-gateway
www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability
www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability
www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability
www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Critical%20Vulnerability%20in%20Citrix%20Application%20Delivery%20Controller%2C%20Gateway%2C%20and%20SD-WAN%20WANOP%20&body=www.cisa.gov/news-events/cybersecurity-advisories/aa20-020a
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
100.0%