Citrix Addresses Critical Vulnerability with Security Patches
Citrix has commenced the rollout of security patches specifically designed to address a critical vulnerability in its ADC and Gateway software. This vulnerability, which became publicly known earlier this month, has already been exploited in real-world attacks, raising urgent concerns among cybersecurity experts and affected enterprises.
Despite the company’s delayed response in releasing updates, hackers have swiftly capitalized on the exposed window, leading to the compromise of numerous Citrix ADC and Gateway systems across the internet. The vulnerability, labeled as CVE-2019-19781, is a path traversal issue that allows unauthenticated remote attackers to execute arbitrary code on several versions of Citrix’s products, including two older iterations of Citrix SD-WAN WANOP.
The CVE-2019-19781 vulnerability has been assigned a critical rating with a CVSS v3.1 score of 9.8. Identified by Mikhail Klyuchnikov, a security researcher from Positive Technologies, the flaw was responsibly disclosed to Citrix in early December. Since the public release of proof-of-concept exploit code, various hacking groups and individuals have actively targeted vulnerable systems, heightening risks for organizations relying on Citrix software.
As of now, cybersecurity experts indicate there are more than 15,000 publicly accessible Citrix ADC and Gateway servers that remain vulnerable, creating opportunities for attackers to infiltrate enterprise networks. FireEye has reported on an ongoing attack campaign using compromised Citrix ADCs to deploy a novel payload termed “NotRobin,” which is designed to scan for existing malware and remove it, allowing the perpetrator to maintain exclusive unauthorized access.
To aid organizations in assessing their risk exposure, Citrix has released a free tool that analyzes system logs and forensic artifacts. This tool helps determine whether an ADC appliance has been compromised through the CVE-2019-19781 vulnerability. According to Citrix, the malicious actor behind this exploits the NetScaler devices to execute arbitrary shell commands.
Last week, Citrix pledged to deliver patched firmware updates for all supported ADC and Gateway software versions by the end of January 2020. The company has taken steps to remedy earlier versions, announcing that permanent patches are now available for ADC versions 11.1 and 12.0, also applicable to ADC and Gateway VPX hosted on various platforms such as ESX, Hyper-V, and AWS.
For users of Citrix ADC and Citrix Gateway 12.1, 13, 10.5, and SD-WAN WANOP, Citrix has advised implementing interim mitigations until specific patches for those versions are issued. The company emphasizes that multiple ADC versions in production environments require distinct patch applications for each system.
As organizations implement available updates, administrators are also encouraged to monitor device logs closely for signs of potential attacks. This proactive approach is essential to fortifying defenses against threats emerging from the vulnerabilities in Citrix’s software.
In a recent update, Citrix confirmed the release of a second batch of permanent security patches addressing the critical remote code execution vulnerability affecting ADC and Gateway versions 12.1 and 13.0, further demonstrating the company’s commitment to safeguarding its users.
Understanding the tactics used in these attacks is vital. The MITRE ATT&CK framework highlights potential methods threatening professionals in environments where Citrix software is utilized, including initial access, credential dumping, and persistence. Businesses must remain vigilant as they navigate the complexities of cybersecurity challenges illuminated by recent vulnerabilities within widely utilized software.