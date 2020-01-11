Loading...

Image: Project Zero India

From yesterday there is now public proof-of-concept exploit code for it CVE-2019-19,781, a vulnerability in Citrix business equipment that allows hackers to take over devices and access a company’s internal networks.

The vulnerability is as bad as it gets and is considered one of the most dangerous bugs that have been revealed in recent years.

Code name Shitrix by the larger infosec community, this vulnerability affects Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, previously known as NetScaler Gateway.

The vulnerability is a cross-path bug that can be exploited by an attacker over the Internet. The attacker does not have to provide authentication information for the device when starting an attack. All an attacker needs to do is send a booby-trapped request to the vulnerable Citrix device, along with the exploit code that he wants to execute on the device.

The bug was discovered and reported to Citrix by Mikhail Klyuchnikov, a researcher at the British security company Positive Technologies. Klyuchnikov said that the moment he found the bug, there were more than 80,000 organizations running vulnerable Citrix instances.

Still no patch almost a month later

Citrix issued a security recommendation for its customers on December 17, but the company did not issue a patch. Instead, Citrix published a support page with information about limitations in the form of configuration adjustments.

Almost a month later, Citrix has still not released a patch, despite the seriousness and the large impact of the bug.

Meanwhile, threat actors are starting to figure out how to exploit the bug – which, according to many security researchers, was trivial and required only a few lines of code.

Scans have been going on for weeks, but according to various security experts and cyber security companies running honeypot servers, exploitation attempts have already started for at least three days.

🚨 In my Citrix ADC honeypot, CVE-2019-19781 is investigated with attackers reading remotely sensitive configuration files from references using ../ directory traversal (a variant of this problem). So this is in the wild, starting active exploitation. 🚨 https://t.co/pDZ2lplSBj

– Kevin Beaumont (@GossiTheDog) January 8, 2020

The seriousness of the bug and the clear risk to business systems did not go unnoticed. Over the past few weeks, security experts, government officials, cyber security authorities, CERT teams and everyone under the sun who understands basic security of companies have warned companies to take Citrix measures to prevent attacks from exploiting vulnerable machines until Citrix is ​​finally released a permanent fix in the form of a patch.

The Citrix RCE is a doozie. Many good security architectures appropriately rely on Citrix to significantly reduce the attack surface and now run a significant risk. Get this patched. https://t.co/7B9d7e7YK7

– Rob Joyce (@RGB_Lights) January 10, 2020

Cannot emphasize enough – please perform the mitigation steps for the Citrix exploit as soon as possible.

This is really going to be bad people.

Easy to automate and exploit and is widely used on the internet.

Restriction here: https://t.co/jeF0UC6A9V

– Dave Kennedy (ReL1K) (@HackingDave) January 11, 2020

Proof of concept code widely available

Although attacks have slowly increased in intensity in recent days, the security community believed it would not get out of hand, as attackers would still have to figure out a way to exploit vulnerable Citrix systems, without a public exploit.

This changed yesterday, on Friday evening, when a group of security researchers calling themselves Project Zero India released the first proof-of-concept (PoC) exploit code for the vulnerability CVE-2019-19781.

A few hours later, the TrustedSec team followed with their own PoC. The TrustedSec team had developed their PoC earlier this week, but refused to release it because it was aware that publishing the code on the internet would cause a peak in exploitation attempts, something they didn’t want to do.

“We’re only making this known because others are first publishing the exploit code,” TrustedSec said in a description of their tool on GitHub. “We had hoped to have hidden this for a while, while defenders had the right time to patch their systems.”

The security company hopes that companies will use their tool to test their networks for vulnerable Citrix instances and whether they have configured the Citrix restriction correctly.

They have also published a blog post about how Citrix systems can be analyzed for possible compromises, in case some companies have had the accident of already being hacked.

Additional technical descriptions analyzing the Citrix bug: Positive Technologies, MDSec, TrustedSec.