Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:47 PM
Connect Directly

Exploits Released for As-Yet Unpatched Critical Citrix Flaw

Organizations need to apply mitigations for vulnerability in Citrix Application Delivery Controller and Citrix Gateway ASAP, security researchers say.

Organizations that have not yet applied recommended mitigations for a recently disclosed remotely exploitable flaw in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products now have a very good reason to do so immediately.

Two separate groups of researchers have posted proof-of-concept exploit code for the vulnerability (CVE-2019-19781) on GitHub. One exploit is from a group of researchers from India called Project Zero India, and the other exploit, dubbed Citrixmash, is from researchers at security consulting firm TrustedSec. Security researchers meanwhile also are reporting a surge in scanning activity in recent days suggesting that attackers are actively looking for systems to exploit.

Citrix has not yet released a patch for the flaw, which was disclosed in late December. Security researchers have described the vulnerability as especially dangerous because it allows unauthenticated remote attackers to run arbitrary exploit code on vulnerable systems.

The concerns have been heightened by the fact that Citrix products are used widely on enterprise networks for many tasks, including remote access to internal systems from any device.

Another aggravating factor is the fact that the vulnerability is considered very trivial to exploit. TrustedSec says it developed its exploit simply based on information in Citrix's workaround. Citrix has urged organizations with the vulnerable software to make certain configuration changes to their ADC and Gateway systems — formerly known as Netscaler ADC and Netscaler Gateway — to mitigate risk of attack. A patch for the appliance firmware won't be available from Citrix until around Jan. 20.

The DHS's Cybersecurity and Infrastructure Security Agency (CISA) on Monday released a utility that it said enables organizations to quickly test whether their Citrix ADC and Citrix Gateway software are susceptible to the CVE-2019-19781 vulnerability.

"TrustedSec can confirm that we have a 100% fully working remote code execution exploit that is able to directly attack any Citrix ADC server from an unauthenticated manner," TrustedSec security consultant David Kennedy said in a blog post. Organizations with vulnerable systems should immediately implement mitigation measures for the flaw because attackers are actively scanning for systems to attack, he said.

In posting the exploit on GitHub, TrustedSec claimed it was only doing so because others had published the code first. "We would have hoped to have had this hidden for awhile longer while defenders had appropriate time to patch their systems," the company said.

Heightened Risk

Exploit code landing before the patch significantly heightens risks for the many organization that have not yet taken any mitigation measures against it.

"Any organization with a NetScaler or ADC login portal exposed to the Internet and lacking the mitigation has almost certainly been compromised by now," says Craig Young, principal security researcher at Tripwire. All it takes to exploit the flaw in most situations is just two specific HTTPS requests, according to Tripwire.

"One of the more likely things I expect to see happen is that many of the systems will be utilized for cryptocurrency mining, or will simply be resold on criminal marketplaces as footholds into specific networks," Young says.

Estimates on the number of Citrix systems that remain vulnerable to the threat have varied somewhat in recent days. A scan that Tripwire conducted some 21 days after the flaw was first disclosed showed that 39,378 out of 58,620 scanned IPs remained vulnerable to attack.

About one-third of those vulnerable systems - or 13,321 - were located in the United States. Other countries with a relatively large number of vulnerable systems include Germany (4,552), United Kingdom (3,321), Switzerland (1,725), and Australia (1,618).

According to Young, the list of vulnerable systems contains numerous high-value systems belonging to organizations across multiple critical sectors including financial services, healthcare, and government. "My approach took less than 30 minutes to prepare and yielded tens of thousands of results," he says.

Cyber threat intelligence firm Bad Packets over the weekend pegged the number of vulnerable systems at a shade over 25,100. Of these, 18,155 had SSL certificates with unique domain names. According to Bad Packets, opportunistic mass-scanning activity targeting the vulnerability has soared in recent days, including from hosts located in Germany and Poland. The sheer scale of the activity suggests that attackers have likely enumerated all vulnerable, publicly accessibly Citrix Gateway and Citrix ADC endpoints by now, Bad Packets said.

"Travelex was recently breached using a very similar flaw in a competing VPN product," Young says.  In that particular incident the attackers pilfered gigabytes of payment card data and other PII over a six-month period before ultimately deploying the REvil ransomware in an unsuccessful bid for about $6 million.

"A breach of this sort can potentially divulge everything within an organization. Customer databases, financial documents, source code, embarrassing emails, and just about everything else would be within reach of a skilled attacker with this level of access," Young warns.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "6 Unique InfoSec Metrics CISOs Should Track in 2020."


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Ling Seligman
Ling Seligman,
User Rank: Apprentice
1/15/2020 | 5:46:04 AM
I was not aware before that there are vulnerabilities in the Citrix Application Delivery Controller. Now I will surely apply recommended mitigations to avoid further damage as soon as possible.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.