Citrix limits technical info on vulnerabilities and patches after exploits

By on
Citrix limits technical info on vulnerabilities and patches after exploits

Fears reverse engineering.

Enterprise application and desktop virtualisation vendor Citrix will not provide full technical details of vulnerabilities discovered in the company's products, or the patches for these, in an effort to limit the development of exploits.

Citrix chief security officer Fermin Serna said the move was designed to shield intelligence from malicious actors.

"Across the industry, today's sophisticated malicious actors are using the details and patches to reverse engineer exploits," Serna said.

Earlier this year, Citrix Application Delivery Controller or Netscaler servers were subject to large-scale exploitation attempts that used the CVE-2019-19781 to gain access to the devices to run cryptomining malware.

It is believed that attackers also used the CVE-2019-19781 vulnerability against Toll Group and Fisher and Paykel Appliances to plant the Nefilim ransomware, shutting down the organisations' IT systems in the proicess.

Serna also provided additional information on a set of 11 vulnerabilities in the Citrix ADC, Gateway and SD-WAN WANOP products, and stressed that they were not related to CVE-2019-19781.

Although some of the vulnerabilities could result in a system compromise, Ferna pointed out that five of them have barriers to attacks that reduce the risk of exploitation.

There are no known exploits in the wild for the new set of vulnerabilities.

Despite the barriers to exploitation, Serna strongly recommended that Citrix customers apply the security patches.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?