A new free tool is now available for detection of compromise related to the CVE-2019-19781 vulnerability, which affects certain versions of Citrix Application Delivery Controller (ADC), Citrix Gateway, and two older versions of Citrix SD-WAN WANOP. Launched by Citrix Systems and FireEye, the tool is freely accessible in both the Citrix and FireEye GitHub repositories.
It is designed to run locally against Citrix instances and receive a rapid assessment of potential indications of compromise in the user’s systems based on known attacks and exploits. Compatible with all supported versions of Citrix ADC and Citrix Gateway, including 11.1, 12.0, 12.1, 10.5, and 13.0, and Citrix SD-WAN WANOP versions 10.2.6 and 11.0.3, Citrix and FireEye strongly recommend all Citrix users run this tool as soon as possible to increase their overall level of awareness of potential compromise and take appropriate steps to protect themselves. The tool is not guaranteed to find all evidence of compromise, or all evidence of compromise related to CVE-2019-19781.
The CVE-2019-19781 vulnerability and its mitigations were reported by Citrix on 17 December 2019. Early this month multiple parties published exploits that take advantage of the vulnerability, significantly increasing the risk to unmitigated systems.
"While our security and engineering teams have been working around the clock to develop, test and deliver permanent fixes to CVE-2019-19781, we have been actively thinking of ways to assist our customers in understanding if and how their systems may have been affected," said Fermin J Serna, Citrix’s chief information security officer.
"We partnered with FireEye Mandiant... to develop a tool that leverages their knowledge of recent attacks against CVE-2019-19781 to help organisations identify potential compromises. The tool utilises our technical knowledge of the Citrix ADC and Gateway products and CVE-2019-19781, combined with industry-leading expertise in cyber forensics and recent FireEye frontline learnings from CVE-2019-19781 related compromises," Serna said.
Charles Carmakal, chief technology officer of FireEye Mandiant consulting, adds, "We believe it is in the best interest of Citrix customers using affected product versions and the entire security community for us to join forces with Citrix to offer a free tool that organisations can rapidly deploy in their own environments to identify potential indicators of compromise of their systems."