Citrix urged its users to upgrade to a fixed build OR apply the provided mitigation to avoid attacks targeting the vulnerability.
A vulnerability has been identified in Citrix Application Delivery Controller (ADC), if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. Further investigation by Citrix has shown that this issue also affects certain deployments of Citrix SD-WAN, specifically Citrix SD-WAN WANOP edition. Citrix SD-WAN WANOP edition packages Citrix ADC as a load balancer thus resulting in the affected status. CVE number assigned for the vulnerability is CVE-2019-19781.
CVE-2019-19781: Vulnerability in Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP appliance leading to arbitrary code execution. The vulnerability affects the following supported product versions on all supported platforms:
• Citrix ADC and Citrix Gateway version 13.0 all supported builds before 126.96.36.199
• NetScaler ADC and NetScaler Gateway version 12.1 all supported builds before 188.8.131.52
• NetScaler ADC and NetScaler Gateway version 12.0 all supported builds before 184.108.40.206
• NetScaler ADC and NetScaler Gateway version 11.1 all supported builds before 220.127.116.11
• NetScaler ADC and NetScaler Gateway version 10.5 all supported builds before 10.5.70.12
• Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b
Citrix urges affected customers to immediately upgrade to a fixed build OR apply the provided mitigation which applies equally to Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP deployments. Customers who have chosen to immediately apply the mitigation should then upgrade all of their vulnerable appliances to a fixed build of the appliance at their earliest schedule. A detailed explanation can be found on the Citrix support pages.