Brian Jackson - Fotolia
Citrix offered new details on patches for its Appliance Delivery Controller and Gateway products as security researchers observed more attacks on honeypots in the wild.
Citrix first disclosed the flaw in its ADC and Gateway appliances in mid-December as work first began on developing security fixes. According to an update posted on Saturday, Citrix patches for supported versions of the products should begin rolling out on Jan. 20 and continue through the end of the month. Specifically, Citrix ADC and NetScaler Gateway versions 11.1 and 12 should see patches on Jan. 20, versions 12.1 and 13 should be patched on Jan. 27 and version 10.5 on Jan. 31.
Fermin Serna, chief security officer at Citrix, told SearchSecurity the unique nature by which the company learned of the vulnerability led to the decision to disclose before Citrix patches were created.
"We received reports of the vulnerability from three different parties in a matter of two days. This is highly unusual, as responsible disclosures generally come from a single reporter," Serna said. "To minimize any risk to our customers in the event the exploit was being shared or published somewhere in deep web and avoid an uncoordinated disclosure through third parties, we decided to publish a security advisory with detailed mitigations while we simultaneously began to work on permanent fixes."
Johannes Ullrich, fellow at the SANS Internet Storm Center and one of the researchers who saw initial attempts to attack the Citrix flaw, suggested part of the delay might have been due to Citrix dealing with code written before it acquired NetScaler in 2005.
"The code appears to have never undergone any real code review and the flaws are significant and should be easy to spot if anybody with even a modest application security background would have reviewed the code," Ullrich told SearchSecurity. "I can only hope that they used the additional time for a code review and maybe they will not just fix the vulnerabilities pointed out by Positive Technologies, but they will also update some of the outdated vulnerable components that are included in their software and squash a few additional security issues that haven't been made public yet."
In the update regarding the Citrix patches, Serna recommended customers follow mitigation techniques the company outlined and claimed "a limited number of devices are exploitable" because deployments tend to be set up behind a firewall.
However, Kevin Beaumont, a security researcher based in the U.K., wrote on Twitter that this might not be true.
The vendor supplied mitigation does not work if you exposed the management interface either internally or to the internet, as the /../ paths aren't needed on mgmt network.— Kevin Beaumont (@GossiTheDog) January 12, 2020
Serna told SearchSecurity the "published mitigation has been tested against this scenario and we are confident that it protects against it."
"If applied, the recommended actions block access to VPNS folders under the following circumstances: 1) A URL has '/../' in it (Directory Traversal), 2) Connection is not coming from a valid SSLVPN," Serna wrote via email. "In the case of the variant attack where directory traversal is not needed to access the VPNS folder if attempted from the Citrix management interface, an exploit would be blocked under the second circumstance."
While the Citrix patches are still being developed, honeypots set up by SANS, Beaumont and Marcus Hutchins, security researcher at Los Angeles-based threat intelligence vendor Kryptos Logic, have continued to be attacked.
Didier Stevens, senior handler at SANS ISC, said his organization has "observed 37 different payloads" during many attacks.
"The commands vary from simple reconnaissance and exfiltration to second stage downloads and wiping," Stevens wrote in a blog post.
Hutchins told SearchSecurity the data shared by Stevens matches what he has seen in attacks against his honeypot.
"So far I've just seen one attacker repetitively trying to deploy a cryptominer," Hutchins said. "The real risk is attackers using it as an entry point into a company's network, rather than just mass scanning the entire internet."
Both Ullrich and Hutchins told SearchSecurity they had seen attempts to install cryptominers and backdoors after exploiting the Citrix flaw, but Ullrich said the "vast majority" of activity are scans looking for vulnerable systems.
Ullrich added that offering mitigations before Citrix patches may have made it more difficult for attackers to develop an exploit, but he also said Citrix's communication could have been better.
"They have provided very little guidance to customers, and customers have pretty much relied on third-party researchers to provide the details that customers should have received from Citrix," Ullrich said. "I have heard from Citrix customers that reached out to us because Citrix was pretty much silent and only released very generic boilerplate type advisories."