Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security

1/14/2020
06:00 AM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Things Get Intense for Citrix ADC/Gateway

Scans have found that there are almost 10,000 vulnerable Internet-facing hosts in the US, with 2500 in Germany and 2000 in the UK.

On December 17, 2019, Mikhail Klyuchnikov of Positive Technologies announced, along with Citrix, that he had found and verified a vulnerability (CVE-2019-19781) in the Citrix ADC and Citrix Gateway products (which had previously been called NetScaler ADC and NetScaler Gateway). Exploitation of it could lead to code execution without authentication and the total hijacking of the device. While the initial announcement was vague by intent, it provided a mitigation and remediation strategy that they thought would be effective.

Attackers of all stripes have spent time since then trying to figure out what this was all about and how to leverage it. Attackers have been scanning the web for vulnerable devices, trying to see where their targets may lie.

Scans have found that there are almost 10,000 vulnerable Internet-facing hosts in the US, with 2500 in Germany and 2000 in the UK.

In recent days, two proof-of-concept (PoC) listings have shown up to detail the inner workings of the exploit. The PoC's are not full-bore attack code, but show what such code would need to do. Mdsec published a technical analysis of the exploits, and what they actually did upon execution. One of the public PoCs was a Python script that created a reverse shell back to an attacker who could then execute commands. One exploit was just two lines of curl. Both were functional, however.

Some researchers have released honeypots to allow defenders to see what the attackers are doing as to the payloads they attempt to run alongside the PoC code. Alienvault summarized what they observed about the 37 differing payloads <href="https://otx.alienvault.com/pulse/5e1c293e07c770f36d232489"target="new">here, along with the indicators of compromise.

Citrix, understandably, is advising calm. Fermin J. Serna, Citrix's Chief Information Security Officer, also announced that patches for the vulnerability will be forthcoming, but not just yet.

Patches for version 12 and 11.1 of the affected software will be released on January 20, 12.1 and 13 on Jan 27 and 10.5 on January 31.

Therefore, performing the mitigation steps that Citrix initially outlined may still be necessary for the immediate future.

Serna also says that, "As many deployments are behind the firewall, we believe that a limited number of devices are exploitable." But, it's not that simple. Not by a long shot.

As security researcher Kevin Beaumont put it on Twitter, "Firewalls, multi factor authentication etc. do not protect you. The vulnerability is in the product, and exists in a layer before authentication. Your Citrix ADC/Gateway almost certainly has sensitive access (eg AD) even if you locked down access… The vendor supplied mitigation does not work if you exposed the management interface either internally or to the internet, as the /../ paths aren't needed on mgmt network."

We aren't done with this, yet.

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package &lt; 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...