[German]There is an unpatched vulnerability CVE-2019-19781 in Citrix ADC (Application Delivery Controller, formerly Netscaler) and proof of concept (PoC) exploits have been available for a few days to exploit the vulnerability – and honeypots are already under attack. I got also reports from intrusion into networks in German companies. Administrators responsible for Citrix ADC need to take action.
Vulnerability CVE-2019-19781 in Citrix ADC
The vulnerability CVE-2019-19781 Vulnerability in Citrix Application Delivery Controller and Citrix Gateway leading to arbitrary code execution exists in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway).
Citrix (NetScaler) ADC is a load balancer and monitoring system. The Unified Gateway enables remote access to internal applications. This can include desktop applications as well as intranet or web applications.
The vulnerability, classified as critical, could allow a local, unprivileged attacker to execute unwanted code. Mikhail Klyuchnikov, security expert at Positive Technologies, discovered this critical vulnerability.
The Citrix ADC/NetScaler is (according to a feedback from a specialist to me over the weekend) in use with at least 80,000 enterprise/government customers. All companies that rely on Citrix XenApp/XenDesktop to virtualize their applications usually also have a NetScaler in use.
On December 24, 2019, I reported on the problem for which there is no patch available from Citrix so far in the article Vulnerability in Citrix Apps put companies at risk. The support CTX267679 – Mitigation steps for CVE-2019-19781 explains how administrators can make the exploitability of the vulnerability more difficult in advance. explains how administrators can make the exploitability of the vulnerability more difficult in advance.
PoC and attacks
I had already noticed it on Friday or the weekend, Citrix ADC administrators might get some grey hair now. Last Saturday, Catalin Cimpanu already pointed out that two proof of concept code examples for the now called Shitrix vulnerability are publicly available.
Proof-of-concept code published for Citrix bug as attacks intensify
* Not one, but two PoCs have been published for CVE-2019-19781 (also known as Shitrix now)
— Catalin Cimpanu (@campuscodi) January 11, 2020
Cimpanu compiled the details in the linked ZDNet article. But in short: We know about the vulnerability, there is no patch, just a workaround to mitigate the vulnerability. At reddit.com there is link collection on pointing to article with insights. And SANS institute has this article.
In my Citrix ADC honeypot, CVE-2019-19781 is being probed with attackers reading sensitive credential config files remotely using ../ directory traversal (a variant of this issue). So this is in the wild, active exploitation starting up. https://t.co/pDZ2lplSBj
— Kevin Beaumont (@GossiTheDog) January 8, 2020
From security researcher Kevin Beaumont, I know that his Citrix ADC honeypots have been under attack for several days regarding the CVE-2019-19781 vulnerability and the attackers are trying to gain access to sensitive information. It seems that at Friday or during the weekend the first German companies have been hit with network intrusions.
As active scanning and exploit scripts are in the wild, it is recommended to deploy the mitigation filter for malicious URL requests until the security updates are available ➡️ https://t.co/StXksW6OVu
— CERT-Bund (@certbund) January 11, 2020
German CERT-Bund issued another warning on Saturday about the vulnerability and today refers to the patch delivery dates announced by Citrix (20 – 31 January 2020). Administrators must therefore take action and use the workaround until these patches are delivered. But it seems that not all admins have been reached yet.
— Catalin Cimpanu (@campuscodi) January 12, 2020
Catalin Cimpanu points out in the above tweet that more than 25,000 Citrix ADC (NetScaler) endpoints relating to CVE-2019-19781 are vulnerable.
We’ve just released a scanner that checks to see if a server is vulnerable for CVE-2019-19781.
— TrustedSec (@TrustedSec) January 11, 2020
The above tweet indicates that TrustSec has released a scanner on GitHub that allows administrators to check if a server is vulnerable to attack via the CVE-2019-19781 vulnerability.
Addendum: In the following tweet, security researcher Kevin Beaumont points out a blog post by FireEye.
— Kevin Beaumont (@GossiTheDog) January 15, 2020
FireEye describes how and which attacks are made on industrial networks to exploit the Shirtrix vulnerability.
Ouch: FreeBSD 8.4 (with EOL 1.8.2015)
The hair of some Citrix NetScaler admins might have turned even more grey. At the weekend I came across this tweet that sheeds light into how vendors maintain their products:
— Julian Mooren (@citrixguyblog) January 11, 2020
Currently Julian is still waiting for an answer from Citix, but that’s not funny at all – imho.
Vulnerability in Citrix Apps put companies at risk
PoC for Citrix ADC/Netscaler vulnerability CVE-2019-19781
Further actions required for Citrix Netscaler vulnerability
Citrix ADC/Netscaler patches 11.1/12.0 released (01/19/2020)