The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released an alert in relation to a recently discovered flaw in the Citrix Application Delivery Controller and Citrix Gateway web server appliances.
The vulnerability, referred to as CVE-2019-19781, can be exploited via the internet and can make remote execution of arbitrary code on vulnerable appliances possible. The flaw, when exploited, can permit a hacker to obtain access to the appliances and attack other resources linked to the internal network. Some security experts have referred to the bug as one of the most dangerous to be discovered in recent times.
The warning, which was released on January 8, 2020, urges all groups using the impacted Citrix appliances (formerly NetScaler ADC and NetScaler Gateway) to permit mitigations to restrict the chance of an attack occurring, and to apply the firmware updates as soon as they are made available later this month.
Two proof of concept exploits have already been released on GitHub which makes exploitation of the flaws trivial. Searches for susceptible systems have been on the rise since the publication of the exploits on Friday by Project Zero India and TrustedSec and attacks on honeypots setup by security experts have increased in frequency over the weekend.
Worldwide there are around 80,000 firms in 158 countries that need to apply mitigations to address the vulnerabilities. Approximately 38% of vulnerable groups are located in the United States.
The flaws exist in all supported versions of the Citrix Application Delivery Controller and Citrix Gateway web server – versions 13.0, 12.1, 12.0, 11.1, and 10.5 – which incorporate Citrix NetScaler ADC and NetScaler Gateway.
The path traversal bug was first identified by UK security expert Mikhail Klyuchnikov who reported it to Citrix. The flaw can be targeted using the internet on a vulnerable appliance without the need for authentication. All that is necessary to exploit the flaw is to find a vulnerable appliance and send a specially crafted request along with the exploit code. The has been called Shitrix by security experts on cybersecurity forums.
At present there is no patch available to address the flaw. Citrix will be releasing a firmware upgrade later this month to correct the vulnerability, which is now scheduled for release on January 20, 2020 for firmware versions 11.1 and 12.0, January 27, 2020 for versions 12.1 and 13.0, and January 31, 2020 for version 10.5.
At the same time, it is vital for configuration changes to be applied to make it more difficult for the vulnerability to be exploited. These can be seen on Citrix Support Page CTX267679.
Since the flaw is presently under ongoing attack, after applying mitigations it is crucial to check to make sure the flaw has not already been targeted.
TrustedSec, which held back on releasing its PoC exploit code until an exploit had already been made available on GitHub, has developed a tool that can be used to find vulnerable Citrix instances on networks and has released possible indicators of impacted Citrix hosts.