Citrix issues ADC patch amid new attacks, pushes forward more patches

3 patch training update software band aid laptop with virus binary
Getty Images

US enterprise virtualization firm Citrix has shipped patches for a critical vulnerability that is being actively exploited and accelerated additional patches for other affected products. 

The first round of patches arrives amid ongoing attacks that exploit the flaw CVE-2019-19781, which affects Citrix Application Delivery Controller (ADC) - aka NetScaler ADC - and Citrix Gateway - aka NetScaler Gateway - and two older versions of Citrix SD-WAN WANOP. 

Citrix disclosed the bug in late December but has been unable to deliver its first patches until today with more security updates scheduled for release over the next week. 

Security firm Bad Packets estimated there were 25,000 Citrix servers exposed on the internet to the vulnerability on January 10, including over 1,000 vulnerable Citrix servers hosted in Australia. 

The bug affects Citrix servers run by government and military agencies. The Netherlands Cyber Security Centrum considered the Citrix security issue serious enough to last week advise government agencies and businesses disable Citrix ADC and Citrix Gateway servers until a patch was available.   

Earlier this month two exploits for the bug were published online by a security firm TrustedSec and a group calling itself Project Zero India. 

According to the SANS Internet Storm Center, most attacks are using the Project Zero India exploit and malware installed has for now centered on cryptocurrency miners rather than the more harmful ransomware. 

However, recent attacks using a vulnerability in Pulse Secure VPN offer a picture of how the Citrix bug could be exploited in future. IT systems from UK foreign exchange service Travelex are still partially offline 20 days after its systems were infected by REvil ransomware, reportedly due to a flaw in Pulse Secure VPN that a patch was available for in early 2019.      

Security firm FireEye last week revealed that a hacker was cleaning up infections of NetScaler devices, not to secure them, but to install malware and block other hackers from exploiting the same flaw. 

That attacker was targeting cryptocurrency mining malware installed on NetScaler devices, which would easily signal to an admin that the machine was compromised, replacing it instead with a more surreptitious backdoor that provides access to the device. 

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has warned local organizations to apply Citrix’s recommended mitigations until patches become available. 

Citrix CISO Fermin Serna today announced in a blogpost that patches are available for ADC versions 11.1 and 12.0. 

The fixes apply to Citrix ADC and Citrix Gateway Virtual Appliances hosted on any of ESX, Microsoft Hyper-V, Linux KVM, Citrix XenServer, Microsoft Azure Azure, Amazon Web Services, Google Cloud Platform and on a Citrix ADC Service Delivery Appliance (SDX). Serna noted that SVM on SDX does not need to be updated.   

Citrix didn’t initially plan to have patches for some affected systems until as late as 31 January. Serna detailed a revised schedule for updates. Version of ADC 12.1 will now get a patch this Thursday, January 24. On that date Citrix will also release fixes for ADC version 13 and ADC version 10.5, and SD-WAN WANOP. 

According to Dutch security researcher Victor Gevers, who runs the security-focussed GDI Foundation, today there were still 14,564 vulnerable Citrix endpoints online

Related:

Copyright © 2020 IDG Communications, Inc.

What is security's role in digital transformation?