At least eighty thousand organisations could be at risk.
Cyber attackers scan Citrix servers, which are vulnerable to a critical ADC and Gateway security vulnerability, as researchers have warned.
Disclosed in December, the Citrix Application Delivery Controller (ADC), previously known as NetScaler ADC, has a serious vulnerability monitored under CVE-2019-19781 next to the Citrix Gateway formerly identified as the NetScaler Gateway. The crucial flaw, originally reported by Positive Technologies Mikhail Klyuchnikov, facilitates directory cross-cutters and allows threatening actors to execute remote code execution (RCE) attacks if used.
These products are affected according to a Citrix security advisory:
- All supported Citrix ADC and Citrix Gateway 13.0 builds versions
- 12.1 Citrix ADC and NetScaler Gateway all supported Citrix ADC
- NetScaler Gateway 12.0, Citrix ADC
- NetScaler Gateway versions 11.1 all supported Citrix Citrix NetScaler ADC
- NetScaler Gateway 10.5 builds all supported builds
Researchers estimated that, in 158 countries, at least 80,000 organizations are ADC users and could thus be at risk. The shooting corporations are mainly based in the US – about 38% – as well as the United Kingdom, Germany, the Netherlands and Australia.
“Depending on specific configuration, Citrix applications can be used for connecting to workstations and critical business systems (including ERP),” Positive Technologies says. “In almost every case, Citrix applications are accessible on the company network perimeter, and are therefore the first to be attacked. This vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company’s internal network from the Citrix server.”
Cybersecurity researchers have detected an incidence of Citrix server scans potentially vulnerable to the bug as reported by Bleeping Computer.
Researcher Kevin Beaumont said on Twitter that one of his honeypots had leaked
🚨 In my Citrix ADC honeypot, CVE-2019-19781 is being probed with attackers reading sensitive credential config files remotely using ../ directory traversal (a variant of this issue). So this is in the wild, active exploitation starting up. 🚨 https://t.co/pDZ2lplSBj
— Kevin Beaumont (@GossiTheDog) 8 January 2020
“attackers reading sensitive credential config files remotely using ../ directory traversal (a variant of this issue).”
No public exploit code appears to be widely used— at least not yet. In his own honeypot checks, SANS Technology Institute Dean of Research Johannes Ullrich noted that the current scans seem in no sense “developed”–some of which are only GET requests–but added that “other sources I believe to be credible have shown that they can produce a code execution exploit.” A patch is not yet released but Citrix has released it. The organization advises that IT administrators use a series of instructions, which can be found here, to adjust reaction policies.
“Citrix strongly urges affected customers to immediately apply the provided mitigation. Customers should then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware when released,” Citrix says.
In March of last year, in a password spraying method, Citrix revealed a security violation caused by weak account credentials.