Exploits for Citrix ADC and Gateway flaw abound, attacks are ongoing

With several exploits targeting CVE-2019-19781 having been released over the weekend and the number of vulnerable endpoints still being over 25,000, attackers are having a field day.

Do you use Citrix’s Application Delivery Controller (ADC) or Gateway? If you haven’t implemented the mitigations provided by the company, there’s a good change you might have been hit already.

Numerous CVE-2019-19781 exploits available

The existence of CVE-2019-19781 – humorously dubbed Shitrix by cybersecurity researcher Kevin Beaumont – was first made public in late December.

Discovered by Mikhail Klyuchnikov of Positive Technologies, the flaw has yet to be patched. In the meantime, Citrix offered mitigation advice to users.

This document allowed researchers to ferret out the nature of and details about the flaw.

Some other researchers then published exploits and scanners for it. Other exploits followed.

CVE-2019-19781 is very bad news: it’s easy to exploit and can lead to remote code execution. The exploit published by TrustedSec “works well” and establishes a reverse shell, SANS ISC’s Johannes Ullrich noted.

“We do see heavy exploitation of the flaw using variations of both exploits. Most attempts follow the ‘Project Zero India’ pattern, which is likely simpler to include in existing exploit scripts. Much of the scanning we have been seen so far is just testing the vulnerability by attempting to run commands like ‘id’ and ‘uname’,” he shared.

“A few exploits attempted to download additional code. I was successful retrieving one sample so far, a simple Perl backdoor.”

SANS ISC handler Didier Stevens shared an overview of the payloads delivered by the attackers. AlienVault has consolidated indicators of compromise from a number of reports of recent exploitation of the flaw.

Implement mitigations, check for compromise

Citrix CISO Fermin J. Serna urged users to go through the offered mitigation steps and said that they are working on developing permanent fixes.

“As with any product of this nature, and consistent with our policies and procedures, these fixes need to be comprehensive and thoroughly tested,” he noted, and said that the first fixes (in the form of refresh builds) are scheduled to be released on January 20, then followed by the rest on January 27 and 31.

TrustedSec provided instructions for checking whether your Citrix endpoints have already been compromised.

You might also want to peruse Beaumont’s advice:

Citrix Gateway and ADC vulnerability aka #Shitrix – a thread of some things which are catching out defenders:

— Kevin Beaumont (@GossiTheDog) January 12, 2020