Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Exploits Published for Citrix ADC Vulnerability, Patches Coming Soon

CISA Releases Utility to Test for Citrix ADC and Gateway Vulnerability

CISA Releases Utility to Test for Citrix ADC and Gateway Vulnerability

Exploits targeting the recent Citrix Application Delivery Controller (ADC) vulnerability have already been published online, yet security patches will not be available for at least another week.

Impacting both Citrix ADC and Citrix Gateway (previously known as NetScaler ADC and NetScaler Gateway), the vulnerability is tracked as CVE-2019-19781 and could lead to code execution without authentication, Citrix revealed on December 17, 2019.

The company also provided details on the steps organizations should take to mitigate exposure to this vulnerability but, three weeks after the flaw was made public, over 39,000 systems without the mitigation enabled were found, and adversaries were already scanning for the vulnerability.

Now, Citrix says it is working on security updates to patch the vulnerability, but estimates that at least one more week would pass before the first patches are released.

Specifically, the company expects patches for versions 11.1 and 12 of the affected products next Monday, on January 20, updates for versions 12.1 and 13 on January 27, and fixes for version 10.5 on January 31.

“We are currently working to develop permanent fixes. As with any product of this nature, and consistent with our policies and procedures, these fixes need to be comprehensive and thoroughly tested,” Citrix reveals.

The company also notes that, amid reports of network scans aimed at detecting vulnerable systems, applying the previously published mitigations are the path to staying secure. It also believes that only a limited number of devices are exploitable, as many deployments are behind firewalls.

Advertisement. Scroll to continue reading.

According to Johannes B. Ullrich, dean of research at the SANS Technology Institute, the scans for vulnerable Citrix ADC systems that he has observed for the past couple of weeks have turned into full-blown exploitation attempts lately.

The escalation is not surprising, as two working exploits have already been published online. One comes from “Project Zero India” and the other from TrustedSec, which said it released the exploit only because other researchers released theirs.

The first exploit essentially includes two curl commands: one to write a template file containing a shell command, and the second to download the result of the command execution.

The second exploit essentially uses the same method, but is delivered in the form of a Python script that also establishes a reverse shell. Ullrich says he has observed many other variations of the exploit being released within several hours.

“We do see heavy exploitation of the flaw using variations of both exploits. Most attempts follow the ‘Project Zero India’ pattern, which is likely simpler to include in existing exploit scripts. Much of the scanning we have been seen so far is just testing the vulnerability by attempting to run commands like ‘id’ and ‘uname’,” the researcher says.

Some of the observed exploitation attempts, he reveals, would seek to fetch additional code, with one of the retrieved samples being a Perl backdoor.

In addition to applying the recommended mitigations, organizations can check whether their deployments are vulnerable or whether they have already been compromised using the following command.

curl host/vpn/../vpns/cfg/smb.conf–path-as-is.

“A 200 response means you are vulnerable. A 403 response indicates that the workaround is in place. A 404 response likely indicates that this is not a Citrix ADC or other vulnerable system,” Ullrich notes.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also released a utility that allows users to test whether their Citrix ADC and Citrix Gateway software is susceptible to the CVE-2019-19781 vulnerability.

TrustedSec has published a comprehensive guide on how to verify whether a system has been compromised or not.

*Updated with details of utility available from CISA

Related: Hackers Scan for Vulnerable Citrix ADC Systems

Related: Citrix Vulnerability Leaves 80,000 Companies at Risk

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.