First patches for the Citrix ADC, Gateway RCE flaw released

As attackers continue to hit vulnerable Citrix (formerly Netscaler) ADC and Gateway installations, Citrix has released permanent fixes for some versions and has promised to provide them for other versions and for two older versions of SD-WAN WANOP by January 24.

A short timeline before the situation update

CVE-2019-19781, a critical vulnerability affecting Citrix ADC and Gateway that may allow unauthenticated attackers to achieve remote code execution and obtain direct access to an organization’s local network from the internet, was responsibly disclosed last December.

At the time, Citrix only offered mitigations advice instead of fixes, but both security researchers and hackers eventually used them to discern the nature of the flaw and create exploits for it.

The number of publicly available exploits quickly rose in the coming days and they began to be deployed by attackers. At the same time, scans revealed tens of thousands of (still) vulnerable installations.

Citrix CISO Fermin J. Serna then announced that the first available fixes will land on January 20.

The current situation

Several days after rising attacks, FireEye researchers flagged a threat actor gaining access to vulnerable Citrix installations and removing known cryptocurrency miners from them.

Simultaneously, the threat actor downloads and deploys a utility (NOTROBIN) that block exploitation attempts against the CVE-2019-19781 vulnerability, as well as effectively setting up a backdoor that can only be used if one knows the right password (hardcoded key).

“Across multiple investigations, FireEye observed actors deploying NOTROBIN with unique keys. For example, we’ve recovered nearly 100 keys from different binaries,” the researchers noted.

“FireEye believes that the actor behind NOTROBIN has been opportunistically compromising NetScaler devices, possibly to prepare for an upcoming campaign.”

A similar attack, delivering partial fixes, was spotted recently by SANS ISC, as it was used on their honeypots.

In the meantime, Citrix confirmed that some SD-WAN WANOP versions (v10.2.6 and 11.0.3) are also vulnerable to CVE-2019-19781 as they include Citrix ADC as a load balancer, and that the offered mitigation steps will work on them.

Finally, on Sunday, the company released fixes for CVE-2019-19781 for ADC versions 11.1 and 12.0.

“These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated,” Serna pointed out.

He also said that the remaining fixes – for ADC version 12.1, 13, 10.5, and SD-WAN WANOP 10.2.6 and 11.0.3 – are scheduled to be released on January 24.

He also warned that the offered fixes can be used only on the indicated versions. “If you have multiple ADC versions in production, you must apply the correct version fix to each system,” he advised.

In the meantime, mitigations should be implemented and admins should check whether they’ve been successfully applied. Citrix has provided a tool that will help them do that.

By the way: CISA has released last week a utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability. It’s available here.

Also: TrustedSec provided instructions for checking whether your Citrix endpoints have already been compromised through CVE-2019-19781.