Vulnerable Citrix Servers

Security researchers have observed ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers vulnerable to attacks exploiting CVE-2019-19781 during the last week.

This vulnerability impacts multiple Citrix products and it could potentially expose the networks of over 80,000 firms to hacking attacks according to a Positive Technologies report from December.

As the security outfit said at the time, “at least 80,000 companies in 158 countries are potentially at risk,” with the top 5 countries being “the United States (the absolute leader, with over 38 percent of all vulnerable organizations), the UK, Germany, the Netherlands, and Australia.”

“Depending on specific configuration, Citrix applications can be used for connecting to workstations and critical business systems (including ERP),” Positive Technologies added. “In almost every case, Citrix applications are accessible on the company network perimeter, and are therefore the first to be attacked.”

No public exploits available

CVE-2019-19781 comes with a 9.8 Critical CVSS v3.1 base score and it could allow unauthenticated attackers to perform arbitrary code execution via Directory Traversal if successfully exploited.

However, as security researcher Kevin Beaumont who shared the info on active CVE-2019-19781 scans on Twitter said, currently no exploitation of this security issue has been observed and no information on an exploit is publicly available so far.

SANS Technology Institute’s Dean of Research Johannes B. Ullrich who monitored scans for vulnerable Citrix systems during the last week also confirmed that no active exploitation has been observed and no public exploits are yet available.

Despite this, he also added that credible sources “have indicated that they were able to create a code execution exploit.”

According to Citrix, CVE-2019-19781 affects all supported product versions and platforms:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Mitigation measures

While Citrix hasn’t yet released a firmware patch to address this security flaw, the company did publish a set of mitigation measures for standalone systems and clusters and it strongly recommends all impacted customers to apply them as soon as possible.

“Customers should then upgrade all of their vulnerable appliances to a fixed version of the appliance firmware when released,” Citrix also says.

To be alerted when updated firmware will be available for impacted Citrix products, customers are also advised to subscribe to bulletin alerts here.

Nextron Systems’s Florian Roth also provides a Sigma detection rule for SIEM systems for detecting CVE-2019-19781 exploitation attempts against Citrix Netscaler, Application Delivery Controller, and Citrix Gateway Attack.

This rule will check the web request and if it contains ‘/../vpns/’ or ‘/vpns/cfg/smb.conf’, will log it as a critical alert.

“Citrix applications are widely used in corporate networks. This includes their use for providing terminal access of employees to internal company applications from any device via the Internet,” Positive Technologies’s Director of Security Audit Department Dmitry Serebryannikov says.

“Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.”