IT administrators are being urged to put in place mitigations for a serious Citrix vulnerability which the vendor says won’t be patched until next week at the earliest, after proof-of-concept (PoC) exploits were published.
The tech giant revealed the CVE-2019-19781 vulnerability in its Citrix Application Delivery Controller (ADC) and Citrix Gateway back in mid-December last year.
If exploited, it could allow an unauthenticated attacker to perform arbitrary code execution, the firm warned, strongly advising customers to apply the relevant mitigations and update the firmware when a new version becomes available.
However, in a new blog post, Citrix revealed that these fixes would not be available until January 20 at the earliest, with version 10.5 not receiving one until January 31.
That could give attackers enough time to compromise organizations which have not applied the relevant mitigations. PoCs have started to emerge on GitHub over the past few days which could allow attackers to gain full control over affected devices.
Troy Mursch, chief research officer at Bad Packets, warned that he had detected multiple exploit attempts from a host in Poland over the weekend.
“Given the ongoing scanning activity detected by security researcher Kevin Beaumont and SANS ISC since January 8, 2020 – it’s likely attackers have enumerated all publicly accessible Citrix ADC and Citrix (NetScaler) Gateway endpoints vulnerable to CVE-2019-19781,” he added.
It’s believed that tens of thousands of systems could be at risk.
Tripwire researcher Craig Young claimed that 39,378 of the 58,620 IP addresses he detected likely to be NetScaler or ADC VPN portals did not have mitigations enabled.
“The list contains countless high value targets across a swath of verticals including finance, government, and healthcare,” he added. “In total, there were 141 distinct domain names ending .gov plus another 351 distinct names containing .gov. in the domain.”