NFIR Threat Intelligence Report on critical vulnerability in Citrix


What are Citrix ADC / Gateway?

Citrix Applicaton Delivery Controller, or ADC (formerly NetScaler ADC) is a solution for application delivery and load balancing. It is used to facilitate applications within enterprise environments. Citrix Gateway is an on-premise solution that facilitates remote access and provides access to apps and resources.

What potential impact does this vulnerability have?

If an attacker is able to successfully exploit the vulnerability, it could lead to unauthorized access to Citrix systems, as well as underlying systems that are part of the network infrastructure.

To exploit this vulnerability, the system must be set up as a gateway using the SSL VPN functionality or if the system is configured as an ICA proxy with authentication. Citrix scales the vulnerability as “critical.”

What are the recommendations?

NFIR advises affected Citrix ADC and Citrix Gateway customers to install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible:

  • Citrix ADC and Citrix Gateway 13.1-33.47 and later versions
  • Citrix ADC and Citrix Gateway 13.0-88.12 and later versions of 13.0
  • Citrix ADC and Citrix Gateway 12.1-65.21 and later versions of 12.1
  • Citrix ADC 12.1-FIPS 12.1-55.289 and later versions of 12.1-FIPS
  • Citrix ADC 12.1-NDcPP 12.1-55.289 and later versions of 12.1-NDcPP

Is there a plan of action?

It is important for your organization to take at least the following steps:

  1. Check (if available) publicly available Indicators-of-Compromise (IoCs) on your systems to determine if any systems may have been compromised, or have external preventive research performed on your systems.
  2. Prepare your organization for the situation when patches need to be executed unexpectedly (outside the regular update timeframes) and apply patches in a controlled manner according to the procedure usual for your organization.
  3. Immediately run the available security updates/patches as soon as they are published on the systems and verify that the updates have actually been applied. In case you have an external IT service provider: Have your provider perform these actions and have them confirm the actions and their result to you in writing.

Do you have systems where the risk is high (for example, systems with sensitive or special personal data)? Then consider temporarily disabling the system.

Disclaimer: NFIR has made every effort to make this information accurate and reliable. However, the information provided is without any guarantee of any kind and its use is entirely at the risk of the user. NFIR assumes no responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided.