Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hackers Scanning for Citrix Systems Affected by Recent Vulnerabilities

Hackers are apparently scanning the web for systems affected by the recently disclosed Citrix vulnerabilities, which the vendor suggested are less likely to be exploited.

Hackers are apparently scanning the web for systems affected by the recently disclosed Citrix vulnerabilities, which the vendor suggested are less likely to be exploited.

Citrix informed customers earlier this week that it has patched a total of 11 vulnerabilities affecting its ADC, Gateway, and SD-WAN WANOP networking products. The flaws can be exploited for local privilege escalation, DoS attacks, authorization bypass, code injection, and XSS attacks.

While some of the vulnerabilities can be exploited remotely without authentication, the vendor highlighted that many of them require access to the targeted system, user interaction, or other preconditions, and also pointed out that the latest issues are not related to CVE-2019-19781, a vulnerability that various threat groups have been exploiting since January.

In addition to its advisory, Citrix published a blog post written by its CISO, Fermin J. Serna, to “avoid confusion and limit the potential for misinterpretation in the industry and our customer set.” Serna downplayed the impact of the flaws, suggesting that they are less likely to be exploited compared to CVE-2019-19781.

He also noted that the latest issues are fully addressed by the patches, unlike CVE-2019-19781, for which the company initially released only temporary mitigations due to the high risk of exploitation.

However, Johannes Ullrich, dean of research at the SANS Technology Institute, reported on Thursday that a honeypot set up to capture attacks aimed at F5 Networks’ BIG-IP systems recorded attempts to exploit two of the recent Citrix vulnerabilities.

Ullrich says their honeypot has been hit by attempts to download files and obtain information, which are likely part of scans looking for vulnerable Citrix systems.

The expert said it was unclear which of the 11 CVEs are targeted, but he believes the most likely candidates are CVE-2020-8195 and CVE-2020-8196. Both security holes have been described as information disclosure issues whose exploitation requires authentication on the NSIP, the IP address at which a Citrix ADC appliance can be accessed for management purposes.

Advertisement. Scroll to continue reading.

CVE-2020-8195 and CVE-2020-8196, along with three other of the 11 vulnerabilities patched by Citrix this week, were reported to the vendor by researcher Donny Maasland, who has published a blog post describing his findings in detail.

While Citrix said it was not disclosing any technical information to prevent exploitation, Maasland disagrees with this approach and he noted that his research targeted the NSIP, which should not be exposed to the internet.

“I firmly believe that when you don’t provide technical details about vulnerabilities you are preventing defensive teams from creating proper detection and mitigation measures against security issues as well as preventing new security analysts and developers from learning from past mistakes. If other people hadn’t created write-ups of the vulnerabilities they found, I wouldn’t have been able to find these results you see here today,” the researcher said.

“Furthermore, you will see that everything I’m disclosing here isn’t exactly rocket science. I’m even willing to bet most of these vulnerabilities have been known to other people for a while now,” he added.

Related: Attacks on ADC Ramp Up as Citrix Releases Remaining Patches

Related: Organizations Quick to Patch Critical Citrix ADC Vulnerability

Related: Citrix Releases More Patches for Exploited Flaw, Tool to Detect Compromise

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.