Olivier Le Moal - stock.adobe.co
Threat actors scanning for vulnerable Citrix ADC servers
Scans for vulnerable Citrix servers were discovered by security researchers following the disclosure of a remote code execution flaw in Citrix ADC and Gateway products.
An unpatched vulnerability in Citrix Application Delivery Controller and Citrix Gateway products has become the target of scans by potential threat actors.
Kevin Beaumont, a security researcher based in the U.K., and Johannes Ullrich, fellow at the SANS Internet Storm Center, independently discovered evidence of people scanning for Citrix ADC and Gateways vulnerable to CVE-2019-19781 over the past week.
Citrix disclosed the vulnerability on Dec. 17, which affects all supported versions of Citrix ADC and Citrix Gateway (formerly NetScaler and NetScaler Gateway, respectively.) Citrix warned that successful exploitation could allow an unauthenticated attacker to run arbitrary code and urged customers to apply mitigation techniques because a patch is not yet available.
Beaumont warned this could "become a serious issue" because of the ease of exploitation and how widespread the issue could be.
"In my Citrix ADC honeypot, CVE-2019-19781 is being probed with attackers reading sensitive credential config files remotely using ../ directory traversal (a variant of this issue). So this is in the wild, active exploitation starting up," Beaumont wrote on Twitter. "There are way more boxes exposed than Pulse Secure, and you can exploit to RCE pre-auth with one POST and one GET request. Almost every box is also still vulnerable."
Researchers at Positive Technologies have estimated as many as 80,000 businesses in 158 countries could have vulnerable Citrix products.
Neither Beaumont nor Ullrich saw any public exploits of the Citrix ADC vulnerability, and Ullrich wrote in a blog post that he would not describe the scans as "sophisticated."
However, Craig Young, computer security researcher for Tripwire's vulnerability and exposure research team, wrote on Twitter he had reproduced a remote code exploit for the vulnerability and he would "be surprised if someone hasn't already used this in the wild."
Florian Roth, CTO of Nextron Systems, detailed a Sigma rule to detect exploitation of the Citrix ADC vulnerability, but Young noted that his functional exploit could "absolutely exploit NetScaler CVE-2019-19781 without leaving this in the logs."
Young described how he developed the exploit but did not release any proof-of-concept code.
"VERT's research has identified three vulnerable behaviors which combine to enable code execution attacks on the NetScaler/ADC appliance," Young wrote in a blog post. "These flaws ultimately allow the attacker to bypass an authorization constraint to create a file with user-controlled content which can then be processed through a server-side scripting language. Other paths towards code execution may also exist."
All researchers involved urged customers to implement configuration changes detailed in Citrix's mitigation suggestions while waiting for a proper fix.
Citrix did not respond to requests for comment at the time of this writing and it is unclear when a firmware update will be available to fix the issue.