Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:47 PM
Connect Directly

Exploits Released for As-Yet Unpatched Critical Citrix Flaw

Organizations need to apply mitigations for vulnerability in Citrix Application Delivery Controller and Citrix Gateway ASAP, security researchers say.

Organizations that have not yet applied recommended mitigations for a recently disclosed remotely exploitable flaw in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products now have a very good reason to do so immediately.

Two separate groups of researchers have posted proof-of-concept exploit code for the vulnerability (CVE-2019-19781) on GitHub. One exploit is from a group of researchers from India called Project Zero India, and the other exploit, dubbed Citrixmash, is from researchers at security consulting firm TrustedSec. Security researchers meanwhile also are reporting a surge in scanning activity in recent days suggesting that attackers are actively looking for systems to exploit.

Citrix has not yet released a patch for the flaw, which was disclosed in late December. Security researchers have described the vulnerability as especially dangerous because it allows unauthenticated remote attackers to run arbitrary exploit code on vulnerable systems.

The concerns have been heightened by the fact that Citrix products are used widely on enterprise networks for many tasks, including remote access to internal systems from any device.

Another aggravating factor is the fact that the vulnerability is considered very trivial to exploit. TrustedSec says it developed its exploit simply based on information in Citrix's workaround. Citrix has urged organizations with the vulnerable software to make certain configuration changes to their ADC and Gateway systems — formerly known as Netscaler ADC and Netscaler Gateway — to mitigate risk of attack. A patch for the appliance firmware won't be available from Citrix until around Jan. 20.

The DHS's Cybersecurity and Infrastructure Security Agency (CISA) on Monday released a utility that it said enables organizations to quickly test whether their Citrix ADC and Citrix Gateway software are susceptible to the CVE-2019-19781 vulnerability.

"TrustedSec can confirm that we have a 100% fully working remote code execution exploit that is able to directly attack any Citrix ADC server from an unauthenticated manner," TrustedSec security consultant David Kennedy said in a blog post. Organizations with vulnerable systems should immediately implement mitigation measures for the flaw because attackers are actively scanning for systems to attack, he said.

In posting the exploit on GitHub, TrustedSec claimed it was only doing so because others had published the code first. "We would have hoped to have had this hidden for awhile longer while defenders had appropriate time to patch their systems," the company said.

Heightened Risk

Exploit code landing before the patch significantly heightens risks for the many organization that have not yet taken any mitigation measures against it.

"Any organization with a NetScaler or ADC login portal exposed to the Internet and lacking the mitigation has almost certainly been compromised by now," says Craig Young, principal security researcher at Tripwire. All it takes to exploit the flaw in most situations is just two specific HTTPS requests, according to Tripwire.

"One of the more likely things I expect to see happen is that many of the systems will be utilized for cryptocurrency mining, or will simply be resold on criminal marketplaces as footholds into specific networks," Young says.

Estimates on the number of Citrix systems that remain vulnerable to the threat have varied somewhat in recent days. A scan that Tripwire conducted some 21 days after the flaw was first disclosed showed that 39,378 out of 58,620 scanned IPs remained vulnerable to attack.

About one-third of those vulnerable systems - or 13,321 - were located in the United States. Other countries with a relatively large number of vulnerable systems include Germany (4,552), United Kingdom (3,321), Switzerland (1,725), and Australia (1,618).

According to Young, the list of vulnerable systems contains numerous high-value systems belonging to organizations across multiple critical sectors including financial services, healthcare, and government. "My approach took less than 30 minutes to prepare and yielded tens of thousands of results," he says.

Cyber threat intelligence firm Bad Packets over the weekend pegged the number of vulnerable systems at a shade over 25,100. Of these, 18,155 had SSL certificates with unique domain names. According to Bad Packets, opportunistic mass-scanning activity targeting the vulnerability has soared in recent days, including from hosts located in Germany and Poland. The sheer scale of the activity suggests that attackers have likely enumerated all vulnerable, publicly accessibly Citrix Gateway and Citrix ADC endpoints by now, Bad Packets said.

"Travelex was recently breached using a very similar flaw in a competing VPN product," Young says.  In that particular incident the attackers pilfered gigabytes of payment card data and other PII over a six-month period before ultimately deploying the REvil ransomware in an unsuccessful bid for about $6 million.

"A breach of this sort can potentially divulge everything within an organization. Customer databases, financial documents, source code, embarrassing emails, and just about everything else would be within reach of a skilled attacker with this level of access," Young warns.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "6 Unique InfoSec Metrics CISOs Should Track in 2020."


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ling Seligman
Ling Seligman,
User Rank: Apprentice
1/15/2020 | 5:46:04 AM
I was not aware before that there are vulnerabilities in the Citrix Application Delivery Controller. Now I will surely apply recommended mitigations to avoid further damage as soon as possible.
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...
PUBLISHED: 2020-02-24
controllers/admin.js in Total.js CMS 13 allows remote attackers to execute arbitrary code via a POST to the /admin/api/widgets/ URI. This can be exploited in conjunction with CVE-2019-15954.
PUBLISHED: 2020-02-24
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind...