Citrix has just issued patches to fix a severe vulnerability in Citrix ADC and Citrix Gateway … [+]
It’s been a busy week of patching for Citrix following a severe vulnerability impacting the Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP that is already being exploited by hackers.
Today (January 24) Citrix has issued patches for Citrix ADC and Citrix Gateway versions 12.1 and 13.0. The patches have been a long time coming–the issue was first revealed in December–so many customers will today be letting out a collective sigh of relief.
Available to all customers regardless of whether they have a maintenance contract, the new Citrix fixes should be installed straight away. “We strongly urge all customers to immediately install these fixes,” said Citrix’s security chief Fermin J. Serna in a blog announcing the latest patches.
How important are the fixes?
It may be Friday, but actually, it’s a good time to apply those patches if you haven’t done so yet before the weekend.
How do I apply the Citrix patches?
Citrix has included upgrade guides on the download page for release 12.1 and release 13.0. But essentially, you will need to upgrade your Citrix product to the versions listed in Citrix’s blog before starting.
I also included a step-by-step guide in my previous article, outlined by Ian Thornton-Trump, CISO at Cyjax. Here it is in case you missed it previously:
- Step 1: Backup your Citrix environment and verify that you have backups before deploying the fixes.
- Step 2: Make sure your Citrix implementation is under a support contract.
- Step 3: Communicate to the business and schedule a period of downtime for the deployment of the fixes.
- Step 4: Work with business and application owners to test everything after the fixes have been applied.
- Step 5: Do not upgrade or apply fixes to anything else. “Citrix environments are notorious for all sorts of strangeness and unpredictable behaviour: Anything from instability to a large increase in session resource consumption,” Thornton-Trump says. “Do not upgrade or apply fixes for anything else in the Citrix environment or you will never know how to narrow down an issue.”
Is there anything else I need to know?
Citrix and security company FireEye have also launched an indicator of compromise tool – essentially a scanner that can hopefully show you if your systems are already showing signs of being hacked. It’s available for free in the Citrix GitHub Repository, so it makes sense that you apply a belt and braces approach and use it.
This is in addition to a tool issued by the U.S.’s CISA, which helps to check if you are vulnerable to the flaw.
I’ll be updating this story as new information emerges so please do check back later in case Citrix has issued any further updates.