Citrix has fast-tracked its patch timeline to fix the NetScaler vulnerability (CVE-2019-19781) in some of its products up to 25 January.
The vulnerability in Citrix’s Application Delivery Controller (ADC), Gateway and SD-WAN WANOP products, if left unpatched, could lead to arbitrary code execution.
The ADC and Gateway patches are now available for versions 11.1 and 12.0, requiring uses to upgrade to build 18.104.22.168 or 22.214.171.124 respectively.
Meanwhile ADC versions 12.1, 13. 10.5 and SD-WAN WANOP versions 10.2.6 and 11.0.3 are required to have their previously supplied mitigations applied until their patches are available to be installed, which is expected by 25 January.
In a blog post, Fermin J. Serna, chief information security officer at Citrix, urged customers to immediately install the fixes as they become available.
“While all the mitigations associated with CVE-2019-19781 are effective across all known scenarios, we strongly encourage customers to apply the permanent fixes as soon as possible,” Serna said.
This update follows an announcement made by Telstra's deputy chief information security officer Clive Reeves last week urging customers using Citrix technology to take “immediate action” against the flaw.
"This means it could give an attacker direct access to the local networks behind the gateways without the need for an account or authentication," Reeves said. "This could result in attacks via malware, ransomware, a denial of service or facilitate the theft of information."