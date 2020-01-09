Loading...

No patch for serious Citrix Netscaler bug yet

This critical Citrix bug can affect 80,000 companies.

Cyber ​​attacks are performing scans to find Citrix servers vulnerable to a critical security flaw in ADC and Gateway products, researchers have warned.

Announced in December, the severe vulnerability, tracked as CVE-2019-19781, has affected the Citrix Application Delivery Controller (ADC) – also known as NetScaler ADC – in addition to Citrix Gateway, formerly known as NetScaler Gateway. Originally reported by Positive Technologies Mikhail Klyuchnikov, the critical vulnerability allows directory passage and allows operators to execute Remote Code Execution (RCE) attacks.

According to a Citrix security advice, these products are affected:

Citrix ADC and Citrix Gateway version 13.0 all supported builds

Citrix ADC and NetScaler Gateway version 12.1 all supported builds

Citrix ADC and NetScaler Gateway version 12.0 all supported builds

Citrix ADC and NetScaler Gateway version 11.1 all supported builds

Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Researchers have estimated that at least 80,000 organizations in 158 countries use ADC and may therefore be at risk. Firing line companies are mainly based in the US – around 38 percent – as well as the UK, Germany, the Netherlands and Australia.

“Depending on the specific configuration, Citrix applications can be used to connect to workstations and critical operating systems (including ERP),” says Positive Technologies. “In almost all cases, Citrix applications are accessible on the perimeter of the corporate network and are therefore the first to be attacked. This vulnerability means that every unauthorized attacker has access not only to published applications, but also to other sources of the company’s internal network. Citrix server. ”

As reported by Bleeping Computer, cyber security researchers have detected a peak in scans for Citrix servers that may be vulnerable to the bug.

On Twitter, researcher Kevin Beaumont said that one of his honeypots had revealed that “attackers read sensitive configuration files remotely using ../ directory traversal (a variant of this number).”

It seems that no public exploit code is being used – at least not yet. SANS Technology Institute dean of research Johannes Ullrich noted in his own honeypot that the current scans in no way appear to be “refined” – some of which are no more than GET requests – but added that “other sources I believe are credible have indicated that they have been able to make a code execution exploit. ”

A patch has yet to be released for the problem, but Citrix has meanwhile released restrictive guidelines. The company recommends that IT administrations perform a series of assignments that are accessible here to adjust the responder policy.

“Citrix strongly urges affected customers to immediately apply the limitation offered. Customers must then upgrade all their vulnerable devices to a fixed version of the device firmware when they are released,” Citrix says.

In March last year, Citrix reported a vulnerability caused by weak account credentials in a technique used as password sprayers. Threat actors were able to access internal networks and download confidential business documents.

