CVE-2019-19781 - Question - Must SDX be patched in addition to VPX, or is VPX patching sufficient?

[Nathan Austin]

To be fully patched and protected, must we update SDX to 12.0 build 63.13, in addition to updating all our VPX instances? https://www.citrix.com/downloads/citrix-adc/service-delivery-appliances/sdx-bundle-120-6313.html

[Stefan Arni Stefansson]

I did ask TS yesterday and they said patching the SDX wasn't necessary as long as the mitigations have been applied. I have a hard time believing that.

[Etienne Coppin]

Patching and mitigation will be probably not enough. You have to re-check and control all your appliances.
In our case, we decide to restore instances (or re-image instances) from 1st week of december before the CVE-2019-19781 publication, implement the miyigation proposed by Citrix, revoke/renew certificates + reset of all passwords involved with NetScaler + reset of all administrative accounts with priviledges.

Read carefully these both articles for the verification steps

https://www.poppelgaard.com/cve-2019-19781-what-you-should-know-and-how-to-fix-your-citrix-adc-access-gateway

https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html

 

[Paul Blitz]

The SDX part of the applience is really just a XenServer with a BSD Service VM. Why would you expect either of those to be susceptible to a netscaler vulnerability. The VPX instances hosted by the SDX will clearly need to be upgraded.