Citrix Releases Patch for Some Vulnerable ADCs and Gateway
Citrix has released two patches for the critical vulnerabilities in the Citrix Application Delivery Controller and the Citrix Gateway. These are software patches for a number of server variants. The rest of the variants will get the update accelerated.
Citrix writes in a blog post that there is a permanent fix for certain versions of the Application Delivery Controller, also known as the former NetScaler ADC. These are versions 11.1 and 12.0. According to Citrix, these also work for virtual installations on, for example, Azure, AWS or Hyper-V. The new versions with the patch are numbered 11.1.63.15 and 12.0.63.13. The patches fix a serious vulnerability in the Citrix software associated with the remote home working feature. The vulnerability allows an attacker to perform remote code execution.
The patch does not yet apply to all vulnerable versions of the ADC and Gateway. Only the most commonly used versions are repaired with it. Citrix says the update for the other versions is coming sooner. The current version is also available faster than expected due to its seriousness. Initially, versions 11.1 and 12.0 would not get a patch until January 27. Versions 12.1, 10.5 and 13.0 are expected to receive a patch on January 24th. That would initially be January 31. Citrix recommends system administrators run the mitigation on those other versions. The company has created a tool to check whether this has been done successfully.
The vulnerability was discovered late last year. Until now, Citrix did not have a patch available for the vulnerability. However, the company recommended mitigation that could prevent the most serious damage. Despite this, several agencies appeared to be affected by an attack via the leak. This happened at the Medical Center Leeuwarden and the municipality of Zutphen, among others. Shortly afterwards, on the advice of the National Cyber Security Center, companies, governments and municipalities switched off their Citrix systems as a precaution.