Citrix has revealed a severe bug in its Citrix Application Delivery Controller (ADC), which is used by at least 80,000 organizations.
This bug could let an attacker to perform arbitrary code execution even without proper authentication. As of now, there is no patch available.
The bug has been dubbed as CVE-2019-19781 and the admins may also know the affected product as NetScaler ADC, Citrix Gateway or NetScaler Gateway.
Citrix-powered equipment is widely used in enterprise networks across the US, UK and Australia and it is a bad time for the enterprise IT admins to manage them due to the Christmas holidays.
As there is no patch available, the company recommends mitigation that can be implemented until a firmware fix arrives.
According to a Citrix advisory, all the affected customers are immediately advised to apply the provided mitigation. Customers must then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware when released.
The company also urges the admins to subscribe to its bulletin alerts to know when the new firmware will be available.
The bug was reported by Mikhail Klyuchnikov, a researcher at UK security firm Positive Technologies.
According to him, the bug affects 80,000 companies in 158 countries and could allow a remote attacker to compromise an internal network within a minute.
If the vulnerability is exploited, then the attackers can attain direct access to the company’s local network from the Internet. This attack does not require access to any accounts, and therefore can be performed by any external attacker.
Even though Citrix has not assigned the bug with a severity score, the Positive Technologies had given it a severity rating of 10 out of 10.
The security company stated that this vulnerability affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5