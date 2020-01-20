Company fired 300 employees for Christmas due to ransomware attack

Citrix has released patches to permanently resolve a vulnerability in ADC software that is actively exploited in the wild.

The vulnerability, maintained as CVE-2019-19781, affects the Citrix Application Delivery Controller (ADC) – formerly known as NetScaler ADC – and Citrix Gateway, formerly known as NetScaler Gateway, as well as Citrix SD-WAN WANOP.

“The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on one of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V, KVM, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance ( SDX), “the company says. “Further research by Citrix has shown that this problem also affects certain implementations of Citrix SDWAN, in particular Citrix SDWAN WANOP edition. Citrix SDWAN WANOP edition packages Citrix ADC as a load balancer, resulting in the affected status. ”

Announced on December 17 and a CVSS score of 9.8 issued, the critical path cross-over reinforcement can be armed to launch arbitrary code execution attacks without authentication.

At the time of the unveiling, the security flaw had no patch available and it was thought that up to 80,000 organizations in 159 countries were at risk according to Mikhail Klyuchnikov of Positive Technologies, who originally reported the problem.

Restrictive steps were recommended by Citrix until a solution was available.

Citrix ADC and Citrix Gateway version 13.0, Citrix ADC and NetScaler Gateway version 12.1, Citrix ADC and NetScaler Gateway version 12.0, Citrix ADC and NetScaler Gateway version 11.1 and Citrix NetScaler ADC and NetScaler Gateway version 10.5, all supported builds, are affected, in addition to SD -WAN WANOP product versions 10.2.6 and 11.0.3.

It didn’t take long for cyber attacks to scan the internet for vulnerable Citrix instances. In the first week of January, honeypots revealed a peak in Citrix scans and by January 11, exploit code was made public on GitHub, making attacking vulnerable machines a trivial matter.

According to FireEye, an attacker who works behind a Tor barrier has also placed a useful load on vulnerable specimens called NotRobin.

This encouraged Citrix to release a timeline of expected fixes, with patches expected for versions 13 and 12.1 on January 27; 10.5 on January 31 and 12 & 11.1 on January 20.

Solutions for ADC versions 12 and 11.1 landed a day early. In a security advisory, the software company urged customers to install the patches “immediately” and noted that if multiple versions of ADC are in use, IT administrators should monitor the fixes released for different builds.

“These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated “said Citrix. “It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 (MPX or VPX) instances to build 11.1.63.15 to repair the vulnerabilities. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 (MPX) instances or VPX) to build 12.0.63.13 to install the vulnerabilities. ”

The patches for versions 12 and 11.1 are accessible here and here.

In addition, Citrix has shortened the waiting time for solutions to correct the error in other versions. Citrix ADC patches for versions 12.1, 13 and 10.5 are now expected on January 24, and a Citrix SD-WAN WANOP fix is ​​also expected on the same day.

Citrix has also provided a verification tool for IT administrators to verify that fixes have been applied correctly.

