Hackers probe Citrix servers for weakness to remote code execution vulnerability
Cyberattackers are performing scans to find Citrix servers vulnerable to a critical security flaw in ADC and Gateway products, researchers have warned.
Disclosed in December, the severe vulnerability, tracked as CVE-2019-19781, impacts the Citrix Application Delivery Controller (ADC) — also known as NetScaler ADC — alongside Citrix Gateway, formerly known as NetScaler Gateway. Originally reported by Mikhail Klyuchnikov from Positive Technologies, the critical vulnerability permits directory traversal and if exploited permits threat actors to conduct Remote Code Execution (RCE) attacks.
According to a Citrix security advisory, these products are affected:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Researchers have estimated that at least 80,000 organizations in 158 countries are users of ADC and could, therefore, be at risk. Companies in the firing line are predominantly based in the US — roughly 38 percent — as well as the UK, Germany, the Netherlands, and Australia.
“Depending on specific configuration, Citrix applications can be used for connecting to workstations and critical business systems (including ERP),” Positive Technologies says. “In almost every case, Citrix applications are accessible on the company network perimeter, and are therefore the first to be attacked. This vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company’s internal network from the Citrix server.”
As reported by Bleeping Computer, cybersecurity researchers have detected a spike in scans for Citrix servers potentially vulnerable to the bug.
On Twitter, researcher Kevin Beaumont said that one of his honeypots had revealed “attackers reading sensitive credential config files remotely using ../ directory traversal (a variant of this issue).”
It does not appear that any public exploit code is being widely used — at least, not yet. SANS Technology Institute Dean of Research Johannes Ullrich noted in his own honeypot checks that current scans do not appear to be “sophisticated” in any way — some of which are no more than GET requests — but added that “other sources I consider credible have indicated that they were able to create a code execution exploit.”
A patch has yet to be released for the issue but Citrix has released mitigation guidelines in the meantime. The company recommends that IT administrations run a set of commands, accessible here, to adapt responder policies.
“Citrix strongly urges affected customers to immediately apply the provided mitigation. Customers should then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware when released,” Citrix says.
In March last year, Citrix disclosed a security breach caused by weak account credentials in a technique used as password spraying. Threat actors managed to access internal networks and download confidential business documents.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0