New round of bugs found in Citrix software, but this time a patch is ready

There haven’t been any reports of malicious hackers exploiting the vulnerabilities, according to Citrix's CISO.
(Citrix Solutions / Flickr / CC BY-ND 2.0 )

Six months ago, a critical vulnerability found in software made by Citrix set off an uncomfortable few weeks for the virtual private networking vendor and the Fortune 500 companies that rely on its products.

It took Citrix a month to release a software fix, well after researchers were warning that malicious hackers were actively exploiting the vulnerability. Even with a fix available, Chinese spies conducted a sweeping operation that took advantage of the software flaw in critical infrastructure sectors.

On Tuesday, Citrix revealed 11 new vulnerabilities in those same cloud-based and remote access products. This time, the Florida-based VPN service provider is hoping to head off attacks by having patches available immediately. The vulnerabilities, under certain conditions, could allow an attacker to inject malicious code into a network running Citrix software, or conduct a denial-of service attack on virtual servers. Citrix urged customers to install the fixes.

There haven’t been any reports of malicious hackers exploiting the vulnerabilities, according to Fermin J. Serna, Citrix’s chief information security officer.


The new bugs likely won’t have as big of a security impact as the Citrix vulnerability that emerged in December, according to Justin Elze, a principal security consultant at security company TrustedSec. Exploiting many of the new bugs requires access to the IP address used to manage the software. That, generally speaking, isn’t sitting on the internet.

But Elze warned against complacency. He pointed to a critical vulnerability in a similar software interface made by another vendor, F5 Networks. In a lot of organizations, the F5 software was needlessly exposed online and ripe for exploitation. Both the F5 and Citrix vulnerabilities show why it’s important to keep those interfaces on a secure network, Elze said in an email.

Maarten Boone, a researcher who discovered one of the 11 new bugs, said he decided to take a look at Citrix’s software after all of the hacking that stemmed from the last Citrix vulnerability. To encourage Citrix customers to update their software, he plans to release a proof-of-concept exploit for the privilege-escalation vulnerability he found.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts