Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

04:47 PM
Connect Directly

Exploits Released for As-Yet Unpatched Critical Citrix Flaw

Organizations need to apply mitigations for vulnerability in Citrix Application Delivery Controller and Citrix Gateway ASAP, security researchers say.

Organizations that have not yet applied recommended mitigations for a recently disclosed remotely exploitable flaw in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products now have a very good reason to do so immediately.

Two separate groups of researchers have posted proof-of-concept exploit code for the vulnerability (CVE-2019-19781) on GitHub. One exploit is from a group of researchers from India called Project Zero India, and the other exploit, dubbed Citrixmash, is from researchers at security consulting firm TrustedSec. Security researchers meanwhile also are reporting a surge in scanning activity in recent days suggesting that attackers are actively looking for systems to exploit.

Citrix has not yet released a patch for the flaw, which was disclosed in late December. Security researchers have described the vulnerability as especially dangerous because it allows unauthenticated remote attackers to run arbitrary exploit code on vulnerable systems.

The concerns have been heightened by the fact that Citrix products are used widely on enterprise networks for many tasks, including remote access to internal systems from any device.

Another aggravating factor is the fact that the vulnerability is considered very trivial to exploit. TrustedSec says it developed its exploit simply based on information in Citrix's workaround. Citrix has urged organizations with the vulnerable software to make certain configuration changes to their ADC and Gateway systems — formerly known as Netscaler ADC and Netscaler Gateway — to mitigate risk of attack. A patch for the appliance firmware won't be available from Citrix until around Jan. 20.

The DHS's Cybersecurity and Infrastructure Security Agency (CISA) on Monday released a utility that it said enables organizations to quickly test whether their Citrix ADC and Citrix Gateway software are susceptible to the CVE-2019-19781 vulnerability.

"TrustedSec can confirm that we have a 100% fully working remote code execution exploit that is able to directly attack any Citrix ADC server from an unauthenticated manner," TrustedSec security consultant David Kennedy said in a blog post. Organizations with vulnerable systems should immediately implement mitigation measures for the flaw because attackers are actively scanning for systems to attack, he said.

In posting the exploit on GitHub, TrustedSec claimed it was only doing so because others had published the code first. "We would have hoped to have had this hidden for awhile longer while defenders had appropriate time to patch their systems," the company said.

Heightened Risk

Exploit code landing before the patch significantly heightens risks for the many organization that have not yet taken any mitigation measures against it.

"Any organization with a NetScaler or ADC login portal exposed to the Internet and lacking the mitigation has almost certainly been compromised by now," says Craig Young, principal security researcher at Tripwire. All it takes to exploit the flaw in most situations is just two specific HTTPS requests, according to Tripwire.

"One of the more likely things I expect to see happen is that many of the systems will be utilized for cryptocurrency mining, or will simply be resold on criminal marketplaces as footholds into specific networks," Young says.

Estimates on the number of Citrix systems that remain vulnerable to the threat have varied somewhat in recent days. A scan that Tripwire conducted some 21 days after the flaw was first disclosed showed that 39,378 out of 58,620 scanned IPs remained vulnerable to attack.

About one-third of those vulnerable systems - or 13,321 - were located in the United States. Other countries with a relatively large number of vulnerable systems include Germany (4,552), United Kingdom (3,321), Switzerland (1,725), and Australia (1,618).

According to Young, the list of vulnerable systems contains numerous high-value systems belonging to organizations across multiple critical sectors including financial services, healthcare, and government. "My approach took less than 30 minutes to prepare and yielded tens of thousands of results," he says.

Cyber threat intelligence firm Bad Packets over the weekend pegged the number of vulnerable systems at a shade over 25,100. Of these, 18,155 had SSL certificates with unique domain names. According to Bad Packets, opportunistic mass-scanning activity targeting the vulnerability has soared in recent days, including from hosts located in Germany and Poland. The sheer scale of the activity suggests that attackers have likely enumerated all vulnerable, publicly accessibly Citrix Gateway and Citrix ADC endpoints by now, Bad Packets said.

"Travelex was recently breached using a very similar flaw in a competing VPN product," Young says.  In that particular incident the attackers pilfered gigabytes of payment card data and other PII over a six-month period before ultimately deploying the REvil ransomware in an unsuccessful bid for about $6 million.

"A breach of this sort can potentially divulge everything within an organization. Customer databases, financial documents, source code, embarrassing emails, and just about everything else would be within reach of a skilled attacker with this level of access," Young warns.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "6 Unique InfoSec Metrics CISOs Should Track in 2020."


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Ling Seligman
Ling Seligman,
User Rank: Apprentice
1/15/2020 | 5:46:04 AM
I was not aware before that there are vulnerabilities in the Citrix Application Delivery Controller. Now I will surely apply recommended mitigations to avoid further damage as soon as possible.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-12
A Cross SIte Scripting (XSS) vulnerability exists in Dhcms 2017-09-18 in guestbook via the message board, which could let a remote malicious user execute arbitrary code.
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/signup/update' via the 'surname' parameter.
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/documentnotes/saveNote' via the 'nota' parameter.
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to unauthenticated reflected cross-site scripting (XSS). An attacker can inject arbitrary web script in '/servlet/AdapterHTTP' via the 'targetService' parameter.
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Client-Side Template Injection in '/knowage/restful-services/signup/update' via the 'name' parameter.