A storm is brewing

Thousands of enterprises are at heightened risk from a recently discovered vulnerability impacting Citrix products, after it emerged that attackers were actively scouring the web for vulnerable systems.

The vulnerability (CVE-2019-19781), which affects Citrix Application Delivery Controller (ADC) and Gateway products, emerged in mid-December.

The critical security flaw makes it possible for a remote unauthenticated attacker to execute malicious code on vulnerable gateways.

In response, Citrix has offered customers only advice on how to mitigate the effect of the security flaw, rather than provide a more comprehensive patch.

In an advisory dated December 17, the Florida-based vendor said it was working on a fixed version of the appliance firmware without giving any timescale for its delivery.

An analysis by security vendor Positive Technologies (PT), published days after Citrix’s advisory, suggested that 80,000 organizations were at risk of attack because of the vulnerability.

It warned that the issue created a ready mechanism for attackers to gain access to the internal networks of companies using the vulnerable products.

Any unauthorized attacker could not only access published applications, but also attack other resources of the company's internal network from the Citrix server, PT said in its post, published December 23.

Patchy mitigation

Craig Young, a computer security researcher with Tripwire's Vulnerability and Exposures Research Team (VERT), has examined this flaw further in a recent blog post.

He estimated that less than a third of Citrix ADC, formally known as NetScaler ADC, or Gateway VPN portals had mitigation enabled, some three weeks after Citrix’s initial advisory.

More specifically, he found that 39,378 of the 58,620 scanned IPs identified using Shodan were still vulnerable.

“I would strongly advise all organizations with NetScaler/ADC to apply the mitigation immediately to avoid compromise,” Young said.

“This is not a particularly difficult flaw to exploit, and it’s almost hard to believe that nobody is exploiting it against real targets yet.”

Read the latest cybersecurity and vulnerability news

But the mitigation provided by Citrix has also been brought into question.

“There’s no patch only manual mitigations, which may break functionality,” security researcher Kevin Beaumont added on Twitter.

“It’s actively being scanned for at scale in the wild too, from known malicious IPs. Citrix need to get on top of this.”


Separately, security researchers warn of mass scanning for the vulnerability, at least some of which is coming from known malicious IP addresses.

This would fit the pattern of reconnaissance hunting for servers affected by CVE-2019-19781, as a prelude to some form of attack.

“So far, all I have seen is evidence that people are scanning for the smb.conf,” Young said.

“As far as I’m concerned, this is an indication that if these scans are from a malicious origin, the people doing the scanning probably do not understand the vulnerability.

“If they did, I expect we would already see tens of thousands of Citrix NetScaler/ADC coopted into a botnet or loaded with ransomware,” he added.

All this adds up to a pressing need for a comprehensive patch but little or no sense of when this is likely to arrive.

The Daily Swig invited Citrix for an update on Friday but we’re yet to hear back.

We’ll update this story as and when more information comes to hand.

YOU MIGHT ALSO LIKE Project Zero relaxes 90-day vulnerability disclosure deadline to boost patch adoption