Attackers are probing Citrix controllers and gateways through recently patched flaws

Earlier this week, Citrix released security updates for Citrix Application Delivery Controller (ADC), Citrix Gateway, and the Citrix SD-WAN WANOP appliance, and urged admins to apply them as soon as possible to reduce risk.

Citrix ADC gateway

At the time, there was no public attack code and no indication that any of the fixed flaws were getting actively exploited.

On Thursday, though, SANS ISC’s Dr. Johannes Ullrich spotted attackers attempting to exploit two of the Citrix vulnerabilities on his F5 BigIP honeypot (set up to flag CVE-2020-5902 exploitation attempts).

About the vulnerabilities

The fixed flaws are 11 in total, ranging from information disclosure and DoS bugs to elevation of pivelege, XSS and code injection flaws.

The security advisory Citrix published noted them and laid out the pre-conditions needed for their exploitation, but does not contain too many details.

“We are limiting the public disclosure of many of the technical details of the vulnerabilities and the patches to further protect our customers. Across the industry, today’s sophisticated malicious actors are using the details and patches to reverse engineer exploits. As such, we are taking steps to advise and help our customers but also do what we can to shield intelligence from malicious actors,” Citrix CISO Fermin Serna explained, and made sure to note that the patches provided fully resolve all issues.

He also pointed out that of the 11 vulnerabilities, there are six possible attacks routes, and five of those have barriers to exploitation.

Finally, he added that the vulnerabilities have no link to CVE-2019-19781, the remote code execution flaw that’s been heavily exploited by attackers since late December/early January.

About the recent exploitation attempts

Dr. Ullrich said that they are seeing some scans that are looking for systems that haven’t been patched yet.

“One interesting issue is that most of the scans originate from a single ISP so far, suggesting that this may be just one group at this point trying to enumerate vulnerable systems,” he told Help Net Security.

“Vulnerable systems leak information about the system if hit with these exploits. So these are not as dangerous as the code execution issues we saw with Citrix over new year, or the F5 issues. But enumerating systems, and using the leaked information may lead to additional more targeted follow on attacks later.”

One of the exploited vulnerabilities allows arbitrary file downloads, the other allows retrieval of a PCI-DSS report without authentication.

“Some of the other vulnerabilities patched with this update are ‘interesting’, but more tricky to exploit,” he added.

Don't miss