Citrix announced a vulnerability in the Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway is formerly known as NetScaler Gateway just before the holidays and the vulnerability has recently been targeted by remote attackers for possible exploitation as it’s being scanned for in the wild. A proof of concept exploit code exists which may be used to deliver a variety of payloads. Mitigation steps for this vulnerability have been published by Citrix.
Citrix products affected by this vulnerability are unable to handle specified web requests leading to the execution of remote code or a possible directory traversal event. Successful exploitation of this vulnerability is not difficult to execute and would result in a bad actor gaining access to internal network resources. Bad actors could use this method to gain initial access to the network before using other methods to move laterally in the environment.
Affected Software Versions:
According to Citrix, the patch to this vulnerability will require a firmware update and will likely be available by the end of January. Mitigation steps are available wherein administrators in your enterprise can enter commands designed for either standalone or high availability set-ups.
In accordance with the SANS forum post, the exploitation method is to start your POST request with either a /VPNs or a //VPNs. Attackers can then supply a configuration file they want to change or a set of instructions they want to run. These scanning attempts appear to originate from automated bots, a common method of probing networks.
Bleeping Computer Article: https://www.bleepingcomputer.com/news/security/attackers-are-scanning-for-vulnerable-citrix-servers-secure-now/
GitHub Links:
Rule: https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml
Proof of Concept Exploit Code: https://github.com/trustedsec/cve-2019-19781
Citrix Links:
Patch Timeline: https://support.citrix.com/article/CTX267027
Current Mitigation: https://support.citrix.com/article/CTX267679
Bulletin: https://login.citrix.com/?url=https://support.citrix.com/user/alerts
IBM X-Force Exchange Summary: https://exchange.xforce.ibmcloud.com/vulnerabilities/173448
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.