Vendor promises patch by the end of January

Proof-of-concept code targeting a previously disclosed Citrix vulnerability was published over the weekend in a further sign that widespread attacks may be imminent.

Thin client-turned-cloud computing vendor Citrix responded by promising patches before the end of the month, setting up a potential race to shore up vulnerable systems before the dangerous vulnerability becomes a vector for cyber-attacks against enterprise networks around the world.

Two proof-of-concept exploits against CVE-2019-19781 (AKA ‘Shitrix’) were released over the weekend against the backdrop of intensified efforts to hunt for vulnerable systems.

The decision to drop a zero-day exploit on a Friday earned Project Zero India – a group of Indian security researchers unaffiliated to Google’s Project Zero – criticism from their peers.

A second group of researchers, TrustedSec, followed up on Saturday with the release of their own exploit tool, justifying the release by stating that “exploit code [is] in the wild already”.

Web security experts separately report that mass scanning activity that began last week further intensified over the weekend amid (so far) isolated attempts to install backdoor agents onto vulnerable systems.

Johannes Ullrich, a SANS Internet Storm Centre handler, reports: “We do see heavy exploitation of the flaw using variations of both exploits... Much of the scanning we have been seen so far is just testing the vulnerability by attempting to run commands like ‘id’ and ‘uname’.

“A few exploits attempted to download additional code,” he added.

Insecure Gateway

CVE-2019-19781, which affects Citrix Application Delivery Controller (ADC) and Gateway products, surfaced in mid-December.

Citrix has thus far offered only advice on how to mitigate the vulnerability rather than issuing a more comprehensive patch.

In an update issued on Sunday (January 12), Citrix said that firmware updates to address the vulnerability will be released between January 20 and the end of this month. The date of availability depends on the version number.

Successful exploitation opens the door for a remote unauthenticated attacker to execute malicious code on vulnerable gateways.

The vulnerability, which arises from a path traversal flaw and is evidently far from difficult to exploit, also offers a route for attackers to gain access to the internal networks of companies using the vulnerable products.

Tripwire’s Craig Young last week estimated that less than a third of Citrix NetScaler or ADC VPN portals had mitigation enabled, some three weeks after Citrix’s initial advisory.

Security researcher Troy Mursch found that, as of Monday morning, around 25,000 Citrix servers remain vulnerable.

Affected organizations include governments, universities, hospitals, and banks in more than 120 countries worldwide, Mursch warns in a blog post.

A discussion of the issue on the Netsec subreddit and a YouTube walkthrough of the vulnerability together offer additional resources for security defenders looking to get up to speed on this clear and present danger to enterprise system security.

YOU MIGHT ALSO LIKE Codoforum software patched against stored XSS vulnerability