UPDATE: Advice on installation of patches Citrix ADC and Citrix Gateway servers

News item | 25-01-2020 | 08:28

Citrix has made available the final patches (including version 10.5) for the software Netscaler ADC and Gateway Server. NCSC-NL recommends that you install these patches under the conditions below, unless your own risk analysis leads to the conclusion that you are probably compromised. The outcome of the risk analysis may differ from one organization to the next. NCSC-NL cannot determine the risk for your organization.

NCSC-NL recommends to continue to apply monitoring and detection of abuse of these vulnerabilities after applying the patches. NCSC-NL emphasizes that applying mitigating measures should always be based on a risk assessment by the organization itself.

Timeline publications by NCSC-NL

For Dutch overview, click here

25 January 2020, 08:28: Update publication of new patches for version 10.5.
24 January 2020, 19:43: Update to extend advice on recovery plans and publication of new patches for versions 12.1 and 13.0 by Citrix.
20 January 2020, 18:11: Update in news item and added ‘Flowchart risk assessment Citrix vulnerability’.
19 January 2020, 22:00: Date and time of publication of first version of news item.

Patch availability

Patching is only effective if your network has not been compromised. Based on your risk assessment, you can determine the likelihood of a compromise. This flowchart may support you in this effort. NCSC-NL recommends that you continue to apply monitoring and detection of abuse of these vulnerabilities after applying the patches.

If you applied the mitigating measures that Citrix published before 9 January (date of publication of exploit) and you use version 10.5, 11.1, 12.0, 12.1 or 13.0 of Citrix ADC and Citrix Gateway servers, NCSC-NL recommends that you install the patch for the version that you use as soon as possible. The likelihood that the vulnerability has been abused is limited. However, it is still possible that actors who have access to advanced means have exploited this vulnerability. You should consider this in your risk analysis.
If your organization has not applied the mitigating measures that Citrix published, or if you only applied them after 9 January 2020, your system is most likely compromised due to the publication of exploits. NCSC-NL recommends that you draft a recovery plan, as explained in the section “Recovery plan after possible compromise” below.

Parties should verify that patches they apply come from a trusted source.

Advice version 12.1 build 50.28

Take care if you use version 12.1 build 50.28 (release date 28 November 2018). For this version, Citrix has acknowledged that there is a problem affecting mitigation. If you use this version, you need to check if you have applied the mitigating measures fully and correctly, including the measures for protecting the management interface. If you have not done this, your system has most likely been compromised. For other versions, including the ‘refreshed 12.1 build 50.28/50.31’ version (release date 23 January 2019), this problem does not apply.

Recovery plan after possible compromise

Determine (based on risk management) the required depth of the forensic investigation. The established risk profile of your organization determines whether it is necessary to have an (external) third party forensically investigate the compromised systems. NCSC-NL recommends to analyse log files starting 17 December 2019, because on that date Citrix published the vulnerability.

Recommended steps after possible compromise:

Isolate the potentially compromised environment:
- If you have not done so yet: disconnect the Citrix systems from the internet.
- Collect the required data to perform the forensic investigation. This may include:
  - Logging (including network traffic)
  - Files
  - Memory dumps
In this investigation, the tool that Citrix published may prove useful.
The forensic investigation has, among others, the following goals:
- Gathering indications of irregular activity.
- If found:
  - Which indications are there?
  - When did the activity take place?
  - How did the activity take place?
  - Who (e.g. an account name or IP address) caused or performed the activity?

Results forensic investigation of possibly compromised systems

If the forensic investigation did not find any compromise: Install the patches according to your standard update process.

If the forensic investigation did find compromise:

Do not forget the systems that were connected to the vulnerable systems at the time the system was compromised. Since organization-wide systems for identity and access management may have been connected to the vulnerable systems, this may have far-reaching consequences.
Citrix systems store private TLS keys, which should also be considered compromised. In that case, it is necessary to issue new TLS certificates, and to revoke the compromised certificates.
Keep in mind that passwords that are stored on the Citrix systems are also compromised, and should therefore be changed.
Perform a risk analysis to identify and address organization-specific risks, and take additional protection measures if necessary.
As far as possible, use new hardware components and an entirely new installation of the software. If you only update compromised systems, the risk remains that intruders have not completely been removed.

What can you do if you want to keep using Citrix?

In NCSC-NL advisory 2019-0979, you can read more about test tooling, expected patches, possibilities for monitoring and detection, mitigation and checking logfiles.

Flowchart ‘Risk assessment Citrix vulnerability’

Below, you can find a flowchart that you may use when making a risk assessment about the Citrix vulnerability (see PDF).

Publications

Flowchart Citrix vulnerability

This flowchart could assist in making a risk assesment concerning the Citrix vulnerability.

Publication | 21-01-2020