Citrix issues first of several patches for critical bug
With hackers actively exploiting a critical vulnerability in its products, corporate virtual private network provider Citrix on Sunday issued the first of several patches for that flaw, and accelerated the timeline for releasing other fixes.
In a statement, Citrix chief information security officer Fermin J. Serna urged customers to apply the latest patches, and said that the company had increased staffing should customers need help installing the new software.
Experts say that successful exploitation of this bug could allow a hacker to burrow into the many Fortune 500 company networks that rely on the software, creating an opportunity for data theft. A flaw in VPN services, in particular, could result in the exposure of sensitive corporate information that victims incorrectly believe is protected behind an additional layer of security.
The Department of Homeland Security’s cybersecurity division on Monday advised Citrix customers to “upgrade their vulnerable appliances as soon as possible.”
The patches released Sunday cover certain versions of Citrix’s application delivery tool, as well as a product that allows remote access to the company’s apps. Citrix also will release patches for other versions of the affected products in the coming days, Serna said, including a fix for one of its Wide Area Network products that is also affected by the vulnerability.
The patches are welcome news for Citrix customers and the security professionals who support them. Cybersecurity analysts reported multiple cases of the vulnerability being exploited in the wild. In one case, an attacker was compromising a vulnerable Citrix product and planting its own code on the network, possibly as a backdoor for future use, according to security company FireEye.
The temporary mitigation measures that Citrix recommended while it prepared patches were not effective in some cases, according to the Netherlands’ national cybersecurity agency. That reportedly led some customers to switch off their affected Citrix gear, rather than apply the mitigation.