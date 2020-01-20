Igor Golovniov / SOPA Images / LightRocket via Getty Images

On January 19, Citrix released several permanent fixes for a vulnerability on the Citrix Virtual Application Delivery Controller (ADC) virtual private and Citrix Gateway network servers that could allow an attacker to execute code on the gateway remotely without logging in. The vulnerability affects tens of thousands of known VPN servers, including at least 260 VPN servers connected to federal, state, and local government agencies in the United States, including at least one location operated by the U.S. Army.

The patches relate to versions 11.1 and 12.0 of the products that were previously sold under the name NetScaler. More patches will be available on January 24th. These patches follow instructions for temporary fixes that the company has provided to mitigate the designed vulnerability-related requirements. An attacker could use these to gain access to the networks protected by the VPNs.

Fermin J. Serna, Chief Information Security Officer at Citrix, announced the fixes in a blog post on Sunday. At the same time, Serna announced that the vulnerability and the published patches also apply to Citrix ADC and Citrix Gateway virtual appliances hosted on virtual machines on all commercial virtualization platforms and Azure, Amazon Web Services. Google Compute Platform and Citrix Service Delivery Appliances (SDXs).

Much to patch

This means a lot of work for Citrix customers, which include thousands of government agencies, educational institutions, hospitals and large companies worldwide, in the next few weeks.

According to data provided to Bad Packets by Ars Technica, over 26,000 servers were still vulnerable to the designed request until last week. The data, including information about potentially vulnerable government VPN gateways, has been shared by Bad Packets with the Cybersecurity and Infrastructure Security Agency. These included a gateway for a civilian DOD personnel system, the US Census Service and a number of local law enforcement agencies.

Inevitably, hundreds of Citrix VPN servers remain vulnerable for weeks or months. FireEye reports that some are already under attack. An attacker installs the mitigation settings to prevent other attackers from launching other installed malware before setting up their own back door.

Many of the exploits have so far installed low-impact malware, including cryptocurrency mining software. But based on what happened to Pulse Secure last year, ransomware operators and other cyber criminals will soon join the hunt.

A member of the group that runs the REvil ransomware campaign recently confirmed that the Travelex group used the vulnerability to attack Pulse Secure, security researcher Vitali Kremez said. UNKN, the administrator of REvil malware, claimed the Travelex attack was credited to a forum post on January 7th, and Travelex managers had to hurry and pay, or customers’ birth dates, social security numbers, and credit card details were “sold to someone.” become. “