ACSC flags critical vulnerabilities in Citrix products

The Australian Cyber Security Centre (ACSC) has issued a critical vulnerability alert related to Citrix software vulnerabilities which contributed to the successful attack on DP World, operator of some of Australia’s major ports.

Two newly discovered flaws in the Citrix NetScaler ADC and NetScaler Gateway products can be exploited to respectively execute code remotely without authentication, and to obtain sensitive information disclosure and conduct session hijacking.

The vulnerabilities are present in pre-patched versions of NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases, NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1, NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0, NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS, NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS, and NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP.

Citrix released patches for the vulnerability in October, and the ACSC is urging any Australian organisations still using the affected products to apply the patches as quickly as possible. The ACSC is also recommending organisations continue monitoring for additional patch updates from Citrix.

But research suggests that DP World had failed to apply the patches before the high-profile attack which forced the company to shut down operations at its ports in Brisbane, Melbourne, Perth and Sydney for a three-day period ending on 13 November.

DP World has revealed that it is continuing to investigate the incident and conduct remediation work in the wake of the breach.

The ACSC, part of the Australian Signals Directorate, is offering to provide organisations impacted by the Citrix vulnerabilities with advice or assistance as required.

Image: DP World.