Citrix issued an advisory yesterday for CVE-2019-19781, a path-traversal vulnerability in Citrix ADC (formerly NetScaler) and Citrix Gateway that allows unauthenticated remote code execution through a single specially-crafted HTTP request (Citrix advisory CTX267027). The vulnerability is in the URL-handling code of the affected appliances and affects, on Citrix's analysis, all currently-supported versions. Mitigations have been published; patches will not be available until late January 2020 at earliest. The combination — critical pre-authentication remote code execution, no patch, a six-week mitigation-only window over the Christmas period — is operationally awful and is going to consume a substantial fraction of the customer-portfolio's December and January attention.
The technical content is, for those familiar with appliance-side path-traversal vulnerabilities, in a familiar pattern. The affected URL-handling code does not adequately normalise the path component of incoming requests, and an attacker who constructs a request with appropriate path-traversal sequences can cause the appliance to execute code from a location the request was not intended to reach. The exploitation is, on the public information, straightforward; proof-of-concept exploits will be available within days, exploit-kit incorporation within weeks, and mass-exploitation against unmitigated estates within the timeframe. The deployment population — Citrix ADC and Gateway are widely deployed at enterprise perimeters and as remote-access infrastructure — is large and substantially internet-exposed.
For the customer estates, the mitigation deployment is the immediate work. The mitigation is a configuration-level intervention that can be applied without firmware update; the Citrix advisory includes the specific configuration directives. Browne Jacobson uses Citrix ADC; mitigations applied today. Towry uses ADC at perimeter for several services; mitigations applied today. The manufacturer's substantial XenApp deployment includes ADC as the front-end; mitigations being applied through the maintenance windows scheduled for the next 48 hours. The financial-services firm uses ADC; mitigations applied. The retailer does not run Citrix.
The Christmas timing is operationally significant. The customer-organisation IT teams are mostly on reduced staffing through the Christmas period; the change-management cycles for emergency configuration changes are slower; the executive escalation paths for any incident response are less responsive. The opposite incentive applies to the attacker — the holiday period is operationally favourable for sustained intrusion because the defender's response is slower and the discovery of a compromise is delayed. The combination produces a window in which sustained exploitation against unmitigated estates is more likely than a non-holiday-period equivalent disclosure would produce. The customer-organisation operational posture for the next four weeks needs to factor in this asymmetry.
The wider strategic point is consistent with the supply-chain-and-vendor-risk theme of the past several years. Citrix products are deployed at enterprise perimeter at substantial scale; vulnerabilities of this nature in those products produce immediate operational risk for the deployed customer base; the patch-versus-mitigation timeline for vendor-side fixes is, on this case, six weeks of mitigation-only operation. The customer-organisation programme work on supply-chain security has historically focused on the software-bill-of-materials and update-channel-integrity questions; the appliance-side vendor-vulnerability question is a parallel discipline that needs comparable attention. The post-Citrix conversations across the portfolio in Q1 2020 are going to include this dimension explicitly.
I will return to this if mass-exploitation materialises in early January, which is the realistic probability. The mitigation-deployment audit cycles continue.