DHS Issues Notice of Critical Citrix Vulnerability Being Actively Exploited

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) gave an alert regarding a recently identified vulnerability in the Citrix Gateway web server appliances and the Citrix Application Delivery Controller.

An attacker can exploit the vulnerability (labeled as CVE-2019-19781) via the internet and execute arbitrary code on vulnerable appliances remotely. By exploiting the vulnerability, it is possible to access the appliances and use it to attack other resources linked to the internal network. A number of security researchers consider the bug as one of the most threatening discovery recently.

The advisory, given on January 8, 2020, prompts all establishments using the vulnerable Citrix appliances (formerly NetScaler ADC and NetScaler Gateway) to implement mitigations without delay to restrict the possibility of an attack, and to employ the firmware updates the moment they are available this month.

Two proof of concept exploits were published on GitHub which makes exploiting vulnerabilities trivial. There have been more scans for vulnerable systems since Project Zero India and TrustedSec published the exploits on Friday. Attacks on honeypots built by security researchers have become more frequent on weekends.

Around the world, there are roughly 80,000 companies in 158 countries that must implement mitigations to resolve the vulnerabilities. Around 38% of vulnerable institutions are found in the U.S.A.

The vulnerabilities are found in versions 13.0, 12.1, 12.0, 11.1, and 10.5 of the Citrix Application Delivery Controller and Citrix Gateway web server, including NetScaler Gateway and Citrix NetScaler ADC.

UK security researcher Mikhail Klyuchnikov discovered the path traversal bug and notified Citrix about it. A vulnerable appliance can be exploited via the internet without requiring authentication. All that is needed to exploit the vulnerability is to locate a vulnerable appliance and transmit a specially crafted request together with the exploit code. Security researchers on cybersecurity forums refer to the bug as Shitrix.

At this time, a patch to correct the flaw is not yet available. Citrix is going to issue a firmware upgrade at the end of the month to fix the vulnerability. The scheduled release is as follows:

  • January 20, 2020 for firmware versions 11.1 and 12.0
  • January 27, 2020 for versions 12.1 and 13.0
  • January 31, 2020 for version 10.5

Meanwhile, it is important to apply configuration changes to make vulnerability exploitation more difficult. These are available on the Citrix Support Page CTX267679.

Because the vulnerability is presently being actively attacked, after implementing mitigations be sure to check that the flaw is not yet exploited.

TrustedSec, which stopped publishing its PoC exploit code until the release of an exploit on GitHub, has created a tool for identifying vulnerable Citrix incidents on systems and has shared possible clues of compromised Citrix hosts.