Welcome back to this week's security bulletin!
Do you remember our discussion on a critical vulnerability discovered in Citrix App? The good news is that they have released patches to mitigate it even though many systems were exploited using the vulnerability during this short period.
As we explained earlier on our end of December blog, the vulnerability found in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) let external attackers access to a company's local network. The vulnerability has been assigned the following CVE number: CVE-2019-19781.
It is necessary to upgrade all Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP instances to the builds listed in the table below. This table also shows the latest release dates, reflecting the accelerated delivery of fixes.
Citrix ADC and Citrix Gateway
Version________Refresh Build__________Release Date
11.1_____________126.96.36.199_____________January 19, 2020
12.0_____________188.8.131.52_____________January 19, 2020
12.1_____________184.108.40.206_____________January 23, 2020
13.0_____________220.127.116.11_____________January 23, 2020
10.5_____________10.5.70.x_____________January 24, 2020
Citrix SD-WAN WANOP
Release______Citrix ADC Release Build_____Release Date
10.2.6b_____________18.104.22.1685_____________January 22, 2020
11.0.3b_____________22.214.171.1245_____________January 22, 2020
In addition to immediately installing these fixes, the Citrix team encourages all customers to use the free Indicator of Compromise Scanning tool. This tool is available under the Apache 2.0 open source license and provides customers with increased awareness of potential compromise related to the CVE-2019-19781 vulnerability on their systems. The tool is designed to allow customers to run it locally on their Citrix instances and receive a rapid assessment of potential Indicators of Compromise based on known attacks and exploits. The tool is freely accessible in the Citrix GitHub Repository.
We have heard enough from software vulnerabilities and now let hardware issues make us worry. A new vulnerability is discovered in modern Intel CPU built before October 2018 that let attackers leak sensitive data from the OS kernel, co-resident virtual machines etc
This vulnerability is assigned CVE-2020-0549 and it is a speculative execution side channel variant known as L1D Eviction Sampling. In previously discovered MDS attacks, attackers need to wait for the required data to be available, but this new flaw allows the attacker to choose which data to be leaked from the L1 cache.
Intel expects to release microcode updates for affected processors which will mitigate the L1D eviction sampling issue. When the microcode update is released, the software can discover if the microcode update contains the mitigation by reading the patch revision number and ensuring it matches or is greater than the corresponding revision number in the Affected Processors table.
The list of processors potentially affected by L1D Eviction Sampling is in the URL given below: