The vulnerability, tracked as CVE-2019-19781, impacts the Citrix Application Delivery Controller (ADC) -- formerly known as NetScaler ADC -- and Citrix Gateway, formerly known as NetScaler Gateway, as well as Citrix SD-WAN WANOP.
I wish I could say, "better late than never," but since hackers don't waste time or miss any opportunity to exploit vulnerable systems, even a short window of time resulted in the compromise of hundreds of Internet exposed Citrix ADC and Gateway systems.
"The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V, KVM, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX)," the company says. "Further investigation by Citrix has shown that this issue also affects certain deployments of Citrix SDWAN, specifically Citrix SDWAN WANOP edition. Citrix SDWAN WANOP edition packages Citrix ADC as a load balancer thus resulting in the affected status."
Rated critical with CVSS v3.1 base score 9.8, the issue was discovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies, who responsibly reported it to Citrix in early December.
Citrix ADC and Citrix Gateway version 13.0, Citrix ADC and NetScaler Gateway version 12.1, Citrix ADC and NetScaler Gateway version 12.0, Citrix ADC and NetScaler Gateway version 11.1, and Citrix NetScaler ADC and NetScaler Gateway version 10.5, all supported builds, are impacted, alongside SD-WAN WANOP product versions 10.2.6 and 11.0.3.
FireEye experts found an attack campaign where someone was compromising vulnerable Citrix ADCs to install a previously-unseen payload, dubbed "NotRobin," that scans systems for cryptominers and malware deployed by other potential attackers and removes them to maintain exclusive backdoor access.
This spurred Citrix on to release a timeline of anticipated fixes, with patches expected for versions 13 and 12.1 on January 27; 10.5 on January 31, and 12 & 11.1 on January 20.
As part of its first batch of updates, Citrix today released permanent patches for ADC versions 11.1 and 12.0 that also apply to "ADC and Gateway VPX hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX)."
In addition, Citrix has narrowed the wait time for fixes to smooth over the bug in other versions. Citrix ADC patches for version 12.1, 13, and 10.5 are now expected on January 24, and a Citrix SD-WAN WANOP fix is also expected on the same day.
Citrix has also provided a verification tool for IT admins to check that fixes have been applied properly.