Over 3500 Australian companies may be vulnerable to a flaw in Citrix Application Delivery Controller (ADC) and Gateway appliances that, if exploited, enables attackers to “obtain direct access to the company's local network from the internet”.
The vulnerability was discovered by Positive Technologies security expert Mikhail Klyuchnikov and could put “over 80,000 companies in 158 countries … at risk."
Australia is in the top five countries by number of companies that are potentially vulnerable to an attack, Positive Technologies said.
The vulnerability has been assigned CVE-2019-19781 and “affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5.”
“If that vulnerability is exploited, attackers obtain direct access to the company's local network from the internet,” Positive Technologies said in a statement.
“This attack does not require access to any accounts, and therefore can be performed by any external attacker.
“Considering how long this vulnerability has been around (since the first vulnerable version of the software was released in 2014), detecting potential exploitation of this vulnerability (and, therefore, infrastructure compromise) retrospectively becomes just as important.”
"Citrix applications are widely used in corporate networks. This includes their use for providing terminal access of employees to internal company applications from any device via the internet,” Positive Technologies director of security audit department Dmitry Serebryannikov said.
“Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.
"On a separate note, we want to point out that the vendor responded very promptly, by creating and releasing a set of risk mitigation measures within just a couple of weeks after the vulnerability was discovered.
“From our experience, we know that in many cases it can take months."