-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.4708.9
Vulnerability in Citrix Application Delivery Controller and Citrix Gateway
                              26 October 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Citrix Application Delivery Controller
                   Citrix Gateway
Publisher:         Citrix
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-19781  

Original Bulletin: 
   https://support.citrix.com/article/CTX267027

Revision History:  October  26 2020: vendor issued minor clarification
                   January  28 2020: Fixed releases are available for all listed versions.
                   January  23 2020: Announced fixes for SD-WAN WANOP appliances
                   January  20 2020: Announced release of 12.0 and 11.1 builds. Announced earlier release dates for other versions.
                   January  17 2020: SD-WAN WANOP added, Citrix ADC 12.1 responder bug added and CVE verification tool added
                   January  13 2020: Fix timelines updated
                   December 24 2019: This bulletin incorrectly advised that a patch was available. Note that only mitigation steps are available at present.
                   December 24 2019: Upgraded priority to "Alert". No known exploitation in the wild but significant potential.
                   December 18 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance

Reference: CTX267027

Category : Critical

Created  : 17 Dec 2019

Modified : 23 Oct 2020

Applicable Products

  o NetScaler
  o NetScaler Gateway
  o Citrix ADC
  o Citrix Gateway
  o Citrix SD-WAN WANOP

Description of Problem

A vulnerability has been identified in Citrix Application Delivery Controller
(ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as
NetScaler Gateway that, if exploited, could allow an unauthenticated attacker
to perform arbitrary code execution.

The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual
Appliances (VPX)hosted on any of Citrix Hypervisor (formerly XenServer), ESX,
Hyper-V, KVM, Azure, AWS, GCP, Citrix ADCMPX or Citrix ADC SDX.

Further investigation by Citrix has shown that this issue also affects certain
deployments of Citrix SD-WAN, specifically Citrix SD-WAN WANOP edition.Citrix
SD-WAN WANOP edition packages Citrix ADC as a load balancer thus resulting in
the affected status.

The vulnerability has been assigned the following CVE number:

o CVE-2019-19781 : Vulnerability in Citrix Application Delivery Controller,
Citrix Gateway and Citrix SD-WAN WANOP appliance leading to arbitrary code
execution

The vulnerability affects the following supported product versions on all
supported platforms:

o Citrix ADC and Citrix Gateway version 13.0 all supported builds before
13.0.47.24

o NetScaler ADC and NetScaler Gateway version 12.1 all supported builds before
12.1.55.18

o NetScaler ADC and NetScaler Gateway version 12.0 all supported builds before
12.0.63.13

o NetScaler ADC and NetScaler Gateway version 11.1 all supported builds before
11.1.63.15

o NetScaler ADC and NetScaler Gateway version 10.5 all supported builds before
10.5.70.12

o Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO
all supported software release builds before 10.2.6b and 11.0.3b

What Customers Should Do

Exploits of this issue on unmitigated appliances have been observed in the
wild. Citrix strongly urges affected customers to immediately upgrade to a
fixed build OR apply the provided mitigation which applies equally to Citrix
ADC, Citrix Gateway and Citrix SD-WAN WANOP deployments. Customers who have
chosen to immediately apply the mitigation should then upgrade all of their
vulnerable appliances to a fixed build of the appliance at their earliest
schedule. Subscribe to bulletin alerts at https://support.citrix.com/user/
alerts to be notified when the new fixes are available.

The following knowledge base article contains the steps to deploy a responder
policy to mitigate the issue in the interim until the system has been updated
to a fixed build: CTX267679 - Mitigation steps for CVE-2019-19781

The following knowledge base article contains the steps to deploy a responder
policy to mitigate the issue in the interim until a permanent fix is available:
CTX267679-Mitigation steps for CVE-2019-19781

Upon application of the mitigation steps, customers may then verify correctness
using the tool published here: CTX269180 - CVE-2019-19781 - Verification Tool

In Citrix ADC and Citrix Gateway Release "12.1 build 50.28", an issue exists
that affects responder and rewrite policies causing them not to process the
packets that matched policy rules. This issue was resolved in "12.1 build 50.28
/31" after which the mitigation steps, if applied, will be effective. However,
Citrix recommends that customers using these builds now update to "12.1 build
55.18", or later, where CVE-2019-19781 issue is already addressed.

Customers on "12.1 build 50.28" who wish to defer updating to "12.1 build
55.18" or later shouldchoose one from the following two options for the
mitigation steps to function as intended:

1. Update to the refreshed "12.1 build 50.28/50.31" or later and apply the
mitigation steps, OR

2. Apply the mitigation steps towards protecting the management interface as
published in CTX267679. This will mitigate attacks, not just on the management
interface but on ALL interfaces including Gateway and AAA virtual IPs

Fixed builds have been released across all supported versions of Citrix ADC and
Citrix Gateway. Fixed builds have also been released for Citrix SD-WAN WANOP
for the applicable appliance models. Citrix strongly recommends that customers
install these updates at their earliest schedule. The fixed builds can be
downloaded from https://www.citrix.com/downloads/citrix-adc/ and https://
www.citrix.com/downloads/citrix-gateway/ and https://www.citrix.com/downloads/
citrix-sd-wan/

 
Customers who have upgraded to fixed builds do not need to retain the
mitigation described in CTX267679.

Fix Timelines

Citrix has released fixes in the form of refresh builds across all supported
versions of Citrix ADC, Citrix Gateway, and applicable appliance models of
Citrix SD-WAN WANOP. Please refer to the table below for the release dates.

+-----------------------------------------------------------------------------+
|                        Citrix ADC and Citrix Gateway                        |
+----------+-------------------------+----------------------------------------+
|Version   |Refresh Build            |Release Date                            |
+----------+-------------------------+----------------------------------------+
|10.5      |10.5.70.12               |24th January 2020 (Released)            |
+----------+-------------------------+----------------------------------------+
|11.1      |11.1.63.15               |19th January 2020 (Released)            |
+----------+-------------------------+----------------------------------------+
|12.0      |12.0.63.13               |19th January 2020 (Released)            |
+----------+-------------------------+----------------------------------------+
|12.1      |12.1.55.18               |23rd January 2020 (Released)            |
+----------+-------------------------+----------------------------------------+
|13.0      |13.0.47.24               |23rd January 2020 (Released)            |
+----------+-------------------------+----------------------------------------+
|                             Citrix SD-WAN WANOP                             |
+----------+-------------------------+----------------------------------------+
|Release   |Citrix ADC Release       |Release Date                            |
+----------+-------------------------+----------------------------------------+
|10.2.6b   |11.1.51.615              |22nd January 2020 (Released)            |
+----------+-------------------------+----------------------------------------+
|11.0.3b   |11.1.51.615              |22nd January 2020 (Released)            |
+----------+-------------------------+----------------------------------------+


Acknowledgements

Citrix thanks Mikhail Klyuchnikov of Positive Technologies, and Gianlorenzo
Cipparrone and Miguel Gonzalez of Paddy Power Betfair plc for working with us
to protect Citrix customers.

Changelog

+------------+----------------------------------------------------------------+
|Date        |Change                                                          |
+------------+----------------------------------------------------------------+
|17th        |                                                                |
|December    |Initial Publication                                             |
|2019        |                                                                |
+------------+----------------------------------------------------------------+
|11th January|Fix Timelines Updated                                           |
|2020        |                                                                |
+------------+----------------------------------------------------------------+
|16th January|SD-WAN WANOP added/Citrix ADC 12.1 responder bug detail added   |
|2020        |                                                                |
+------------+----------------------------------------------------------------+
|16th January|CVE verification tool                                           |
|2020        |                                                                |
+------------+----------------------------------------------------------------+
|17th January|Update to Citrix ADC and Citrix Gateway 12.1 responder policy   |
|2020        |issue                                                           |
+------------+----------------------------------------------------------------+
|19th January|Announced release of 12.0 and 11.1 builds. Announced earlier    |
|2020        |release dates for other versions.                               |
+------------+----------------------------------------------------------------+
|22nd January|Announced fixes for SD-WAN WANOP appliances                     |
|2020        |                                                                |
+------------+----------------------------------------------------------------+
|23rd January|Announced (accelerated) release of 13.0 and 12.1 builds.        |
|2020        |                                                                |
+------------+----------------------------------------------------------------+
|24th January|Announced release of 10.5 build                                 |
|2020        |                                                                |
+------------+----------------------------------------------------------------+
|23rd October|Added explicit statement clarifying that MPX is affected        |
|2020        |                                                                |
+------------+----------------------------------------------------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBX5ZEE+NLKJtyKPYoAQjwQQ/+NYAoLLXXHf6nhCRjCXLPL9xvnwyOT0dA
WuEimVVC2Vw5vqJoj5bCIww+Ctg4FFXzQkXHVB7GbbonUnJwKMZMTgMs+QfOX11A
UxGxPArInvm/PsZFMYbTRIb1eHQwWfB98rWSWlASTHfXh05Uod27KvVvBoppbHIK
PWlSoDS2aqyxHQFNfl2AXEJtPJmtFGuizBY43SEAvvlMqAqCdKPPV7wwaBw4WkY+
frBj9juK2r5Ug5hqoB6lL7+bSxdauM08C4ScGfUo2oIADMSSZXlIgipFeCbuLaHy
3zodhbqcvtMGJhD7B1cG/OJnVe36tNRs0DeLsbpCkKHQ9BrDJ4sVabHXbkno3K25
MP+A/xhKYfQW+qjK4QjZa18uj9YwObZlTN/SjOOqa0P1FhHptlaBV/0ow3S64Knh
HaVF9BLdO5iFti31HWuXIXjIwPV+0YOkGFjOWAXQE0GfZFZ/XBTlCNjhZyQ/xa73
deYWaHQHHfMuGMMzCdvqZYD6MEVn1oeb1UQxzgD2lWv9zNvUTtZDOwkyDiRXw+zO
HispEc6jsRGuJ2scDS0Ifw5L0l4wn9IcHveI2ledJ7dk7aEJ7jWVIW+vB9wXrQoL
nIgKmpL6sdMvjh7VupzXIq/NuRE0ivdsGT6oBmgyyCZr2xgalsrgrmXOlkPQeFAu
T7sQlkV7BOw=
=YbIa
-----END PGP SIGNATURE-----