Critical Update To Citrix Vulnerability Exploited

The Threat:

Citrix has updated their security bulletin with important new information. Please see the What You Should Do About It section below.

The eSentire Security Operations Center (SOC) has observed a behavior change in the active exploitation of Citrix’s vulnerability. This vulnerability is actively being used by threat groups to weaponize for other malicious purposes, in particular, targeting data to exfiltrate. This is in addition to the delivery of cryptocurrency mining malware, as we notified on January 13, 2020.

The SOC is actively responding to and effectively containing multiple incidents of vulnerable Citrix appliances. Given the expected two-week lag time between current events and formal patch releases from Citrix, and the lack of adoption of Citrix’s recommended mitigations, our cyber security experts are the most effective defense at this time.

What we’re doing about it:

• Known scanner and payload IP addresses have been added to the eSentire Global Black List
• MVS (formerly esRECON) has plugins to identify the vulnerability CVE-2019-19781
• esLOG customers have been reviewed for signs of Citrix ADC exploitation

What you should do about it:

• UPDATE January 16, 2020:
  • If running Citrix ADC Release 12.1, builds before 51.16/51.19 and 50.31 the mitigation steps are not effective. Citrix recommends updating to an unaffected build prior to applying mitigation
  • Customers can validate mitigation actions using the CVE Verification Tool released by Citrix

• It is highly recommended that affected clients apply the mitigation actions provided by Citrix [1]
• See the TrustedSec blog post NetScaler Remote Code Execution Forensics for technical and investigation details [2]

Additional information:

CVE-2019-19781 allows simple directory traversal by a remote attacker in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. Additionally, the vulnerability affects the Citrix SD-WAN WANOP appliance, versions 10.2.6 and 11.0.3. No patches have been made available at this time.

From Citrix Advisory:

The vulnerability affects all supported product versions and all supported platforms:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
• Citrix SD-WAN WANOP software and appliance models 4000, 4100, 5000, and 5100 all supported builds

Event Timeline

Jan 16 - Citrix discloses new impacted products, bugs in Citrix ADC build 12.1, and a CVE verification tool.

Jan 15 – Tactics switched to more sophisticated methods

Jan 12 - Exploitation to deliver cryptocurrency mining malware was identified by eSentire

Jan 8 - Initial Citrix advisory was released by eSentire [7]

Jan 8 - Active exploitation of honeypot environment observed by researcher Kevin Beaumont [6]

Dec 31 - SANS releases a speculative proof of concept [5]

Dec 23 - Positive Technologies comments on the potential impact of the vulnerability [4]

Dec 16 - Mitigation steps provided by Citrix [1]

Dec 16 - Vulnerability publicly disclosed by Citrix [3]

Expected Patch Release [8]

References:

[1] https://support.citrix.com/article/CTX267679

[2] https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/

[3] https://support.citrix.com/article/CTX267027

[4] https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/

[5] https://isc.sans.edu/forums/diary/Some+Thoughts+About+the+Critical+Citrix+ADCGateway+Vulnerability+CVE201919781/25660/

[6] https://twitter.com/GossiTheDog/status/1214892555306971138

[7] https://www.esentire.com/security-advisories/critical-citrix-vulnerability-exploited/

[8] https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/