Maksim Kabakou - Fotolia

Citrix ADC vulnerability discovered, temporary fix released

A security firm said a Citrix ADC and Citrix Gateway vulnerability could affect more than 80,000 companies. Immediate action was recommended, but the holidays might have complicated things.

Citrix announced in December that a vulnerability in its Application Delivery Controller and Gateway software had been discovered, and urged users to take steps to nullify a problem that could affect more than 80,000 businesses.

The vulnerability, according to experts, could enable an unauthenticated person to access a company's local network from the internet. The issue, designated as "CVE-2019-19781," affects all supported versions of Citrix ADC, the company's application and load-balancing product, and Citrix Gateway, which provides access to virtual, software-as-a-service and web applications.

Per a Citrix spokesperson, the company has taken measures to address the vulnerability, issuing to its customers a series of steps that would neutralize attacks. Citrix is working on a code fix to eliminate the problem.

Citrix credited several security experts -- Mikhail Klyuchnikov of the London-based security firm Positive Technologies and Gianlorenzo Cipparrone and Miguel Gonzalez of the Irish bookmaking company Paddy Power Betfair -- for their work in discovering the Citrix ADC and Gateway vulnerability. In a release, Positive Technologies indicated that at least 80,000 companies in 158 countries were at risk.

"Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security services take immediate steps to mitigate the threat," Dmitry Serebryannikov, security audit department director at Positive Technologies, said in a news release. "On a separate note, we want to point out that the vendor responded very promptly by creating and releasing a set of risk mitigation measures within just a couple of weeks after the vulnerability was discovered. From our experience, we know that, in many cases, it can take months."

According to Positive Technologies, companies can use web application firewalls to defend against attacks.

'Doing the right things'

Enterprise Strategy Group senior analyst Bob Laliberte said the timing of the discovery could pose problems to organizations who use the services, as many were shut down or only had skeleton crews working during the holidays.

Laliberte said, despite some attention-grabbing headlines, it does not appear that anyone was hacked as a result of the Citrix ADC vulnerability, and that the firms involved had worked diligently to correct the issue.

"The important thing is that it seems [Citrix] is doing the right things," he said.

Laliberte said he did not believe the news would have a big impact in business confidence in the service or application delivery as a whole.

"When working with established companies like Citrix, it's not so much that there's not going to be a problem -- it's how they handle it," he said. "Engineers work really hard to build security into their solutions. It's important to deal with [a problem] when it comes."

Dig Deeper on Virtual desktop delivery tools