Customers turned to Citrix Gateway for security: the company says it provides “secure access and single sign-on to all the virtual, SaaS and web applications they need to be productive.” Now the tool itself is vulnerable to a critical and “trivial to exploit” vulnerability that remains unpatched, nearly a month after being disclosed.
Exploits are now in the public domain, and security experts say that among 50,000+ potentially exposed users, they have identified scores of sensitive domains vulnerable to attack, including 351 distinct names containing .gov: predominately in the UK and Australia. (Citrix says users need to take manual steps to mitigate: guide here).
As Tripwire’s Craig Young writes: “The list contains countless high value targets across a swath of verticals including finance, government, and healthcare.”
Florida-based Citrix says it will have firmware updates across all supported versions of Citrix ADC and Citrix Gateway between January 20 – January 31.
We've added detection for the Citrix vulnerability (CVE-2019-19781). If you've configured Shodan Monitor (https://t.co/pVAnB0gecF) then you will automatically get notified if any of your devices are impacted.
— Shodan (@shodanhq) January 11, 2020
Positive Technologies, which first reported the vulnerability, said: “Citrix applications can be used for connecting to workstations and critical business systems (including ERP). In almost every case, Citrix applications are accessible on the company network perimeter, and are therefore the first to be attacked. This vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company’s internal network from the Citrix server.”
Citrix Gateway Vulnerability
The vulnerability, CVE-2019-1978, affects Citrix Application Delivery Controller, previously NetScaler ADC, and Citrix Gateway, previously NetScaler Gateway
It was first disclosed on December 17 by Citrix, which acknowledged that both products have a critical security vulnerability that could allow an unauthenticated attacker to remotely execute code on the vulnerable gateways. (The CVE does not yet have a CVSS score: Positive Technologies expects it to be a full fat 10: the highest possible).
Can’t emphasize enough – please please please do the mitigation steps for the Citrix exploit as soon as possible.
This is going to be a really bad one folks.
Easy to automate and exploit and is widely used across the Internet.
Mitigation here: https://t.co/jeF0UC6A9V
— Dave Kennedy (@HackingDave) January 11, 2020
Those who haven’t mitigated the Citrix gateway vulnerability may already be in trouble: security firm Trusted Sec said: “We are aware of large scanning efforts already occurring across the globe in an effort to map… for this specific vulnerability.”
Sysadmins who haven’t sorted the mitigation should do so urgently. (The workarounds, as Trusted Sec notes, are focused on “eliminating directory traversals in general and restricting access to the VPNs folder, which contains scripts that allow files to be written (in a specific format) to later be called for remote code execution.”)