The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published an advisory on January 8, 2020 that the Citrix Gateway web server appliances and the Citrix Application Delivery Controller were found to have a vulnerability (labeled as CVE-2019-19781).
A threat actor could exploit the vulnerability remotely and execute arbitrary code on vulnerable devices. By taking advantage of the vulnerability, the devices can be accessed and used for attacking other resources connected to the internal network. Many security researchers say that this bug is one of the most terrifying findings lately.
The advisory requires all organizations utilizing the vulnerable Citrix devices (formerly NetScaler ADC and NetScaler Gateway) to apply mitigations immediately to minimize attacks and to use the firmware updates the soonest it is possible.
There were two proof of concept exploits released on GitHub making vulnerabilities exploitation easy. More scans for vulnerable systems have been done since the publication of exploits by Project Zero India and TrustedSec on Friday. Honeypots created by security researchers have had more frequent attacks on weekends.
All around the world, about 80,000 companies in 158 nations should employ mitigations to address vulnerability issues. About 38% of vulnerable organizations are located in the United States.
The vulnerable devices include Citrix Application Delivery Controller versions 10.5, 11.1, 12.0, 12.1 and 13.0 and the Citrix Gateway web server, such as the Citrix NetScaler ADC and NetScaler Gateway.
Security researcher Mikhail Klyuchnikov from the UK found out the path traversal bug and informed Citrix. An appliance with the vulnerability could be exploited online without needing authentication. If a vulnerable appliance can be located, the vulnerability can be exploited by transmitting a specially crafted request along with the exploit code. This bug called Shitrix has become the trending topic in cybersecurity forums.
Currently, there is no patch available yet to fix the flaw. A firmware upgrade will be released by Citrix at the end of January to address the vulnerability. Here are the scheduled release dates:
January 20, 2020 for firmware versions 11.1 and 12.0
January 27, 2020 for versions 12.1 and 13.0
January 31, 2020 for version 10.5
While waiting for the upgrade release, make the configuration adjustments available on Citrix Support Page CTX267679, so it would be harder to exploit the vulnerability.
Cybercriminals are actively attacking the vulnerability. So be sure to check if your unit is not yet exploited after implementing mitigations.
TrustedSec stopped posting its PoC exploit code until an exploit on GitHub is available. It also developed a tool that can be used to detect vulnerable Citrix occurrences on systems and has given potential clues that indicate compromised Citrix hosts.