Citrix patches vulnerability as ransomware attacks emerge

Citrix rolls out more patches ahead of schedule for CVE-2019-19781, a directory traversal vulnerability that affects Citrix ADC, Gateway and SD-WAN WANOP products.

A new round of Citrix patches arrived Thursday for the vendor's Application Delivery Controller and Gateway products as reports of ransomware attacks targeting vulnerable systems emerged.

The directory traversal flaw allows an unauthenticated party to perform arbitrary code execution. Originally, the Citrix patches were scheduled for release later this month, but last week the vendor accelerated the delivery and issued the first round of patches. Thursday's patches are for Citrix ADC and Citrix Gateway versions 12.1 and 13.0. A fix for version 10.5 of the products is scheduled for release Friday.

The vulnerability, CVE-2019-19781, was disclosed in December before Citrix had an opportunity to develop fixes. Fermin Serna, CISO at Citrix, previously told SearchSecurity that the company decided to disclose the vulnerability at that time because it had received three separate reports of the flaw within two days, which indicated the risk of exploitation was higher than normal.

In a blog post, Serna urged customers to immediately apply the Citrix patches and also advised customers to take advantage of a free scanning tool, co-developed with FireEye Mandiant, designed to detect indicators of compromise in customer environments running ADC, Gateway and SD-WAN WANOP products.

It's unclear how many unpatched systems are currently online. Security researcher Victor Gevers, who is also chair of the Dutch Institute for Vulnerability Disclosure, said via Twitter that his public scans showed the number of vulnerable Citrix systems on the internet fell to 11,372 Thursday from a high of 128,777 on Dec. 31. Gevers' research showed that many of the vulnerable systems during that stretch either "powered down" or applied temporary mitigations in lieu of patches.

Ransomware attacks reported

As Citrix rolled out the latest patches, two separate reports of ransomware detections on vulnerable systems emerged. On Thursday, FireEye threat analyst Andrew Thompson noted on Twitter that he observed a threat actor using the Citrix vulnerability to gain initial access to a network and then pivoting to Windows environment to attempt a ransomware infection. "If you haven't already begun mitigating, you really need to consider the ramifications," Thompson wrote on Twitter.

On Friday, anonymous security researcher known as "Under the Breach" also reported a potential exploit of CVE-2019-19781 in a Sodinokibi ransomware attack on German carmaker Gedia. Under the Breach said via Twitter that an analysis of data released by the Sodinokibi threat actors, in retaliation for Gedia's refusal to pay the ransom, showed the carmaker had unpatched versions of Citrix ADC.

While Under the Breach said he believed the CVE-2019-19781 was used in the attack, it's unclear if the data released by Sodinokibi is authentic, or if the Citrix vulnerability was used to infect Gedia with ransomware.

Dig Deeper on Application and platform security