Organizations that have not yet applied recommended mitigations for a recently disclosed remotely exploitable flaw in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products now have a very good reason to do so immediately.
Two separate groups of researchers have posted proof-of-concept exploit code for the vulnerability (CVE-2019-19781) on GitHub. One exploit is from a group of researchers from India called Project Zero India, and the other exploit, dubbed Citrixmash, is from researchers at security consulting firm TrustedSec. Security researchers meanwhile also are reporting a surge in scanning activity in recent days suggesting that attackers are actively looking for systems to exploit.
Citrix has not yet released a patch for the flaw, which was disclosed in late December. Security researchers have described the vulnerability as especially dangerous because it allows unauthenticated remote attackers to run arbitrary exploit code on vulnerable systems.
The concerns have been heightened by the fact that Citrix products are used widely on enterprise networks for many tasks, including remote access to internal systems from any device.
Another aggravating factor is the fact that the vulnerability is considered very trivial to exploit. TrustedSec says it developed its exploit simply based on information in Citrix’s workaround. Citrix has urged organizations with the vulnerable software to make certain configuration changes to their ADC and Gateway systems — formerly known as Netscaler ADC and Netscaler Gateway — to mitigate risk of attack. A patch for the appliance firmware won’t be available from Citrix until around Jan. 20.
The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) on Monday released a utility that it said enables organizations to quickly test whether their Citrix ADC and Citrix Gateway software are susceptible to the CVE-2019-19781 vulnerability.
“TrustedSec can confirm that we have a 100% fully working remote code execution exploit that is able to directly attack any Citrix ADC server from an unauthenticated manner,” TrustedSec security consultant David Kennedy said in a blog post. Organizations with vulnerable systems should immediately implement mitigation measures for the flaw because attackers are actively scanning for systems to attack, he said.
In posting the exploit on GitHub, TrustedSec claimed it was only doing so because others had published the code first. “We would have hoped to have had this hidden for awhile longer while defenders had appropriate time to patch their systems,” the company said.
Exploit code landing before the patch significantly heightens risks for the many organization that have not yet taken any mitigation measures against it.
“Any organization with a NetScaler or ADC login portal exposed to the Internet and lacking the mitigation has almost certainly been compromised by now,” says Craig Young, principal security researcher at Tripwire. All it takes to exploit the flaw in most situations is just two specific HTTPS requests, according to Tripwire.
“One of the more likely things I expect to see happen is that many of the systems will be utilized for cryptocurrency mining, or will simply be resold on criminal marketplaces as footholds into specific networks,” Young says.
Estimates on the number of Citrix systems that remain vulnerable to the threat have varied somewhat in recent days. A scan that Tripwire conducted some 21 days after the flaw was first disclosed showed that 39,378 out of 58,620 scanned IPs remained vulnerable to attack.
About one-third of those vulnerable systems – or 13,321 – were located in the United States. Other countries with a relatively large number of vulnerable systems include Germany (4,552), United Kingdom (3,321), Switzerland (1,725), and Australia (1,618).
According to Young, the list of vulnerable systems contains numerous high-value systems belonging to organizations across multiple critical sectors including financial services, healthcare, and government. “My approach took less than 30 minutes to prepare and yielded tens of thousands of results,” he says.
Cyber threat intelligence firm Bad Packets over the weekend pegged the number of vulnerable systems at a shade over 25,100. Of these, 18,155 had SSL certificates with unique domain names. According to Bad Packets, opportunistic mass-scanning activity targeting the vulnerability has soared in recent days, including from hosts located in Germany and Poland. The sheer scale of the activity suggests that attackers have likely enumerated all vulnerable, publicly accessibly Citrix Gateway and Citrix ADC endpoints by now, Bad Packets said.
“Travelex was recently breached using a very similar flaw in a competing VPN product,” Young says. In that particular incident the attackers pilfered gigabytes of payment card data and other PII over a six-month period before ultimately deploying the REvil ransomware in an unsuccessful bid for about $6 million.
“A breach of this sort can potentially divulge everything within an organization. Customer databases, financial documents, source code, embarrassing emails, and just about everything else would be within reach of a skilled attacker with this level of access,” Young warns.
Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “6 Unique InfoSec Metrics CISOs Should Track in 2020.”
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio