Citrix recently published a critical security bulletin (CVE-2019-19781) advising users of a vulnerability in the Citrix Application Delivery Controller (ADC) device formerly known as NetScaler ADC, Citrix Gateway, and NetScaler Gateway. If exploited, it can allow an unauthenticated attacker to execute code on the appliance that can lead to possibly compromising a critical perimeter security component. Many organizations rely on these devices as load balancers to control access from the outside to internal Citrix Servers and to terminate SSL VPNs.
The vulnerability affects all supported product versions of Citrix ADC & Gateway, ranging from versions 10.5 to 13.0. Citrix has yet to release a patch addressing the threat; however, they have provided direction for implementing a temporary solution to mitigate risk while a patch is being developed.
Course of Action
Systems Engineering clients who have a Citrix ADC/Gateway (Citrix NetScaler) covered by Critical Care (service response plan) will have the temporary solution put in place. Our team is working with affected clients to coordinate the installation of the temporary solution.
If your organization’s environment has a Citrix ADC/Gateway not covered under Critical Care, we recommend you apply the temporary solution immediately.
Please contact Systems Engineering Customer Service at 207.772.4199 or your Account Manager with any questions.