Frequently asked questions Citrix ADC and Citrix Gateway servers

News item | 30-01-2020 | 15:53

• FAQ in Dutch/ Veelgestelde vragen Citrix in het Nederlands
• January 30, 2020, 15.53: Update question 3.
• January 25, 2020, 08:25: Update question 1.
• January 24, 2020, 20:33: Update question 1.
• January 23, 2020, 12:33: Publication date and time first version 'Frequently asked questions Citrix'

1. When will the new patches from Citrix will be published and can I trust Citrix pathes?

Citrix published all patches (including version 10.5) for Netscaler ADC and Gateway Server. NCSC-NL advises to install these patches under the conditions as described below. After you install the patches NCSC-NL advises to keep monitoring to detect abuse and to prevent any possible compromise.

Citrix published new patches on thursday the 23th and friday the 24th of January for versions 10.5 and 12.1 and 13.0.

Citrix published patches on sunday the 19th of January for versions 11.1 and 12.0.

Based on its information, NCSC-NL recommends trusting these patches for this vulnerability and installing them under certain conditions.

For additional information and the conditions we posted a news item on January 24, 2020 and publications in Dutch. NCSC-NL states that taking mitigating measures must in all cases be based on a risk assessment by the organization itself.

2. Can I downgrade to a previous Citrix version (for which a patch is available)?

NCSC-NL has not researched the consequences of downgrading. NCSC-NL can not estimate the consequences of downgrading for your organization. Therefore, NCSC-NL does not advise on downgrading. NCSC-NL advises -if your organization wants to downgrade- to decide this in close consultation with a specialist or a Citrix adviser

3. Which Citrix version suffices to bring the organization back online?

First of all you need to make sure that you have not been compromised (see question 4). If you are not compromised, NCSC-NL advises you to install all available updates (patches), except for 12.1 v50.28. In case there is no update available yet for the Citrix version you use, NCSC-NL advises to take mitigation measures first, before bringing systems back online again.

NCSC-NL also advises analyzing log files starting 17 December 2019, because then Citrix published the vulnerability.

4. How do I know if I have been compromised?

You can assume that you have been compromised if you have taken mitigating measures after 9 January 2020. For the period from 9 January 2020 we advise you to analyze your server and the log files in accordance with our previously given advice. Do you want to check if you have been compromised? FireEye and Citrix have published a tool to verify whether the Citrix ADC application is vulnerable or whether it has already been compromised.

If your Citrix implementation is provided to you by an external service provider, it is advisable to inquire with your service provider which actions have been taken and when. Refer to the flowchart provided by NCSC-NL to determine the risks for your own Citrix implementation.

5. What is the threat of this Citrix vulnerability?

When an attacker exploits the vulnerability, the attacker gains access to the network. This makes abuse possible, including for example ransomware attacks, targeted (economic) espionage and sabotage.

6. How do I know if I can apply Citrix’ patch?

Please look at our news item of 24 January 2020. The Citrix Risk Assessment Flow Chart can help you to determine a risk assessment and any follow-up actions for your organization.

7. Why does NCSC-NL advise in all cases to switch off all ADC controllers until patched?

This advice applies to all ADC controllers if mitigation measures are not applied before January 9, 2020 or if you use Citrix version 12.1 v50.28.

8. What should I do if I am compromised?

If your system has been compromised, we advise you to prepare a recovery plan (including the actions listed). Therefore read our news item of 24 January 2020 (see the heading 'Recovery plan after possible compromise'). Do you want to check if you have been compromised? FireEye and Citrix have published a tool to verify whether the Citrix ADC application is vulnerable or whether it has already been compromised.

9. What can I do if I don't know what to consider about Citrix?

NCSC-NL emphasizes that taking mitigating measures must in all cases be based on a risk assessment of the organization. Organizations can determine this with information from NCSC-NL, among other things. Organizations within the Dutch Central Government can address questions to the CIO / CTO of their own Ministry, which is in contact with CIO Rijk and / or NCSC-NL.