Critical Vulnerabilities in Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP (CVE-2019-19781) and Pulse Secure VPN (CVE-2019-11510)

Published on 14 Jan 2020

Updated on 20 Jan 2020

UPDATED 20 Jan 2020: Citrix has released permanent fixes for Citrix ADC and Citrix Gateway versions 11.1 and 12.0. Refer to Recommendations for more details.

Background

Citrix Application Delivery Controller (ADC), Citrix Gateway and Citrix SD-WAN WANOP (CVE-2019-19781)
SingCERT has observed an increase in the number of scanning activities on Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP devices that are vulnerable to CVE-2019-19781. These devices are commonly used to terminate Secure Sockets Layer virtual private networks (VPN). 
The vulnerability is a path traversal bug that can be exploited over the Internet. A successful exploitation would allow an unauthenticated hacker to send a tampered request along with the exploit code to execute on the device.

Pulse Secure Virtual Private Network (VPN) Vulnerability (CVE-2019-11510)
A critical arbitrary file read vulnerability, CVE-2019-11510, existing in Pulse Secure VPN was observed to be exploited widely. Unauthenticated attackers with network access via HTTPS are able to send a specially crafted Uniform Resource Identifier to exploit this vulnerability remotely.

Affected Products

CVE-2019-19781
• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Citrix SD-WAN WANOP software and appliance models 4000, 4100, 5000, and 5100 all supported builds

CVE-2019-11510
• Pulse Connect Secure version 9.0R1 to 9.0R3.3
• Pulse Connect Secure version 8.3R1 to 8.3R7
• Pulse Connect Secure version 8.2R1 to 8.2R12 

Impact

Successful exploitation of the vulnerabilities could allow unauthenticated attackers to perform remote code execution, take control of the affected systems and gain a foothold inside the targeted networks to conduct further malicious activities. These include the creation of rogue administrator accounts, unauthorised installation of programs, and as well as viewing, changing, or deletion of data.

Recommendations

CVE-2019-19781
System administrators of affected products are strongly encouraged to perform the following:
Upgrade Citrix ADC and Citrix Gateway versions 11.1 and 12.0 to builds 11.1.63.15 and 12.0.63.13 respectively immediately. 
• Implement the mitigation steps provided by Citrix immediately to prevent further compromise for other versions. 
• Upgrade to the latest version upon the release of the firmware updates for Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP. Users may subscribe to Citrix's bulletin alert at https://support.citrix.com/user/alerts to receive notification when the new firmware is available.