A critical vulnerability in the Citrix Application Delivery Controller and Citrix Gateway is being exploited in real world attacks.
The vulnerability was discovered by security researcher Mikhail Klyuchnikov who reported it to Citrix, but more than a month after being notified about the flaw, a firmware upgrade has yet to be released for vulnerable Citrix appliances.
The vulnerability, CVE-2019-19781, has been described by some security researchers as one of the most dangerous bugs to be uncovered in recent years. The flaw can be exploited remotely over the internet by an unauthenticated user and will allow remote code execution on a vulnerable appliance. Once access to the appliance has been gained, an attacker could launch attacks on resources on the internal network. All that is necessary to exploit the flaw is to identify a vulnerable appliance and send a specially crafted packet along with the exploit code.
The was hope that an exploit would not be developed before Citrix issued a firmware upgrade, but on Friday, January 10, 2020, exploit code for the path traversal vulnerability was published on GitHub by Project Zero India. That was closely followed by an exploit from TrustedSec. The latter had been holding off on publishing its PoC as it would allow hackers to easily exploit the flaw. Once Project Zero India had published its exploit, there was little point holding back and TrustedSec similarly published on GitHub. Either of these exploits for the Citrix vulnerability make an attack on a vulnerable system trivial.
Since Friday, several security researchers have reported that scans for vulnerable Citrix appliances have increased. Honeypots set up by security researchers have been attacked using the exploit code, and those attacks have been increasing over the weekend.
There are believed to be around 80,000 companies in 158 countries that have systems containing vulnerable Citrix or NetScaler appliances, almost 40% of which are in the United States.
Given the severity of the flaw, the number of companies affected, and the lack of a firmware update to fix the flaw, it is no surprise that security researchers have called the flaw Shitrix.
It is likely that a firmware update is still a week or two away from being released, although Citrix has created a support page detailing mitigations that should be implemented ahead of the planned firmware upgrade. You can find out about the necessary configuration changes here.
The vulnerability affects all supported Citrix ADC, Citrix Gateway, NetScaler ADC, and NetScaler Gateway versions – 13.0, 12.1, 12.0, 11.1, and 10.5. It is essential for mitigations to be applied as soon as possible since the flaws are under active attack.
Firmware upgrades are scheduled for release on the following dates:
- January 20, 2020 – Firmware versions 11.1 and 12.0
- January 27, 2020 – Firmware versions 12.1 and 13.0
- January 31, 2020 – Firmware version 10.5