As attacks begin, Citrix ships patch for VPN vulnerability

 In Biz & IT, citrix, Policy, pulse secure, ransomware

As attacks begin, Citrix ships patch for VPN vulnerability

Serving the Technologist for more than a decade. IT news, reviews, and analysis.
As attacks begin, Citrix ships patch for VPN vulnerability

Enlarge (credit: Igor Golovniov/SOPA Images/LightRocket via Getty Images)

On January 19, Citrix released some permanent fixes to a vulnerability on the company’s Citrix Application Delivery Controller (ADC) and Citrix Gateway virtual private network servers that allowed an attacker to remotely execute code on the gateway without needing a login. The vulnerability affects tens of thousands of known VPN servers, including at least 260 VPN servers associated with US federal, state, and local government agencies—including at least one site operated by the US Army.

The patches are for versions 11.1 and 12.0 of the products, formerly marketed under the NetScaler name. Other patches will be available on January 24. These patches follow instructions for temporary fixes the company provided to deflect the crafted requests associated with the vulnerability, which could be used by an attacker to gain access to the networks protected by the VPNs.

Fermin J. Serna, chief information security officer at Citrix, announced the fixes in a blog post on Sunday. At the same time, Serna revealed that the vulnerability—and the patches being released—also applied to Citrix ADC and Citrix Gateway Virtual Appliances hosted on virtual machines on all commercially available virtualization platforms, as well as those hosted in Azure, Amazon Web Services, Google Compute Platform, and Citrix Service Delivery Appliances (SDXs).

Read 5 remaining paragraphs | Comments

Hundreds of US government agencies have vulnerable VPNs, data shows.

Recent Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt