Telstra urges ‘immediate action’ against unpatched Citrix flaw

Telstra has urged business customers to fix an unpatched flaw in their Citrix systems three weeks after the vulnerability was first uncovered.

The telco warned local enterprise users that hackers are actively scanning Citrix servers for gaps following the discovery of a vulnerability in the vendor’s Application Delivery Controller (ADC) and Gateway.

More than 3,500 companies in Australia are vulnerable to attack, according to the UK-based security firm Positive Technologies, which discovered the flaw known as CVE-2019-19781.

“It is important that customers are aware that a working exploit to this threat has been published on the internet and to take immediate action,” Clive Reeves, Telstra’s Deputy Chief Information Security Officer wrote in a blog post.

The vulnerability affects all supported versions of the product and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5.

If exploited, the flaw allows threat actors to conduct remote code execution (RCE) attacks, which gives them direct access to the local networks behind the gateways without an account or authentication. 

According to Reeves, this could result in cyber attacks including malware, ransomware, a denial of service or theft.

The vulnerability remains as of yet unpatched, although Citrix has released mitigation steps which all users and customers are urged to take.

Users are all advised to upgrade all their vulnerable applications to a fixed version of firmware when released towards the end of January.