25,000 Citrix servers vulnerable to flaw as exploit code released

Patches won’t be available under late January. 

sale 25053 primary image

Patches won’t be available under late January. 

Tens of thousands of organizations with Citrix’s Application Delivery Controller (ADC) and its NetScaler Gateway servers are in a pickle this month with a cybercrime trifecta: attackers are mass scanning the internet for vulnerable machines, there are publicly available exploits, and there’s no patch from Citrix for at least a week. 

Citrix disclosed the flaw CVE-2019-19781 just before Christmas, detailing that it could allow an unauthenticated attacker to execute code of their choice on affected systems. It has provided steps to mitigate the flaw, but won’t have patches for several releases until at least January 20. 

A honeypot operated by Troy Mursch from security firm Bad Packets detected mass scanning for vulnerable Citrix systems on January 10 targeting ADC and Citrix Gateway, which is also known as NetScaler Gateway. 

According to Mursch, there are 25,000 NetScaler endpoints currently vulnerable to exploits for the vulnerability. Almost 10,000 of these endpoints are based in the US. Australia is the fifth most exposed nation with 1,076 Citrix endpoints vulnerable to the attacks. Germany, the UK, and China have 2,510, 2,028, and 1,095 exposed endpoints, according to Bad Packets

Mursch found that the vulnerability affects all major industries, including military and government agencies, education providers, healthcare providers, utilities, financial institutions, and Fortune 500 companies. 

Researchers at Positive Technologies who reported the bug to Citrix estimated that 80,000 companies worldwide are affected by the flaw, including over 3,500 organizations in Australia.  

Over the weekend, security firm TrustedSec published exploit code for the vulnerability, dubbed “Citrixmash”, on GitHub. The tool allows for remote code execution by exploiting a directory traversal flaw in ADC. 

“TrustedSec can confirm that we have a 100% fully working remote code execution exploit that is able to directly attack any Citrix ADC server from an unauthenticated manner,” wrote David Kennedy, a researcher with TrustedSec.   

“Based on the information already provided in the workaround, the exploit itself was relatively trivial and allows for the ability to compromise the underlying operating system. The exposure is contained within a vulnerable parameter that allows for directory traversal and the ability to call poorly written scripts.”

The company published the tool after a group calling itself Project Zero India published a remote code execution exploit for the flaw on GitHub. The group has no connection to the Google Project Zero bug hunting initiative. 

According to Carnegie Mellon University’s CERT Coordination Center, the affected Citrix software fails to restrict access to perl scripts that are available via the /vpns/ path. 

“An unauthenticated remote attacker may be able to provide crafted content to these scripts that result in arbitrary code execution,” it notes

Citrix currently plans to release fixed builds for version 10.5 of ADC and Citrix Gateway on 31 January. New builds for version 11.1 and 12.0 should be available on 20 January, while fixed bids for versions 12.1 and 13.0 are expect by 27 January. 


Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies