Attackers exploiting critical Citrix ADC, Gateway flaw, company yet to release fixes

Nearly a month has passed since Citrix released mitigation measures for CVE-2019-19781, a critical vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway, which could lead to remote code execution.

The end of the year festivities and holidays can be blamed for the announcement not receiving a lot of attention, but those have now passed and, according to SANS ISC and security researcher Kevin Beaumont, there are attackers out there scanning for vulnerable systems and probing them (reading sensitive credential configuration files).

About the vulnerable products

Citrix Application Delivery Controller (formerly NetScaler ADC) is an application delivery and load balancing solution.

Citrix Gateway (formerly NetScaler Gateway) is a secure remote access network gateway solution that is offered as a cloud service or an on-premises solution.

Citrix confirmed that CVE-2019-19781 affects:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

About CVE-2019-19781

The vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies and reported to Citrix late last year.

PT says that the vulnerability may allow unauthenticated attackers to obtain direct access to the company’s local network from the internet.

“Depending on specific configuration, Citrix applications can be used for connecting to workstations and critical business systems (including ERP). In almost every case, Citrix applications are accessible on the company network perimeter, and are therefore the first to be attacked. This vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company’s internal network from the Citrix server,” they explained, but did not share more specific details about the flaw.

Citrix has published mitigation advice, though, and Tripwire security researcher Craig Young has used it to deduce the underlying problem and realize that a working exploit can be as simple as chaining two HTTPS requests to take advantage of what is, partly, an issue of insufficient access control.

What to do?

As Citrix is yet to release actual fixes, enterprise admins are advised to peruse the company’s mitigation advice and implement it as soon as possible, then upgrade all of their vulnerable appliances to a fixed version when one is released (though they didn’t say when that may be).

PT says that web application firewalls can be used to fend off potential attacks by blocking all dangerous requests.

“Considering how long this vulnerability has been around (since the first vulnerable version of the software was released in 2014), detecting potential exploitation of this vulnerability (and, therefore, infrastructure compromise) retrospectively becomes just as important,” they added.

When the vulnerability was first made public, PT scanned the internet for vulnerable installations and found that over 80,000 companies (predominantly North American) run them.

Young’s more recent scanning revealed over 58,000 exposed Citrix appliances, less than a third of which had the mitigation enabled.

“39,378 of the 58,620 scanned IPs were apparently vulnerable. To put this in perspective, I correlated the IP addresses with their certificate data and found more than 26,000 unique subject common name values. The list contains countless high value targets across a swath of verticals including finance, government, and healthcare,” he noted.

“It is alarming that so many organizations are currently at risk in such a sensitive part of their organization. Each one of these devices is an opportunity for criminals or spies to gain access to restricted networks and impersonate authorized users. I would strongly advise all organizations with NetScaler/ADC to apply the mitigation immediately to avoid compromise.”