As enterprises wait for the patches for the Citrix ADC CVE-2019-19781 vulnerability that are still several weeks away, mass scanning for vulnerable hosts is continuing and there are now at least two proof-of-concept exploits available for the bug.
The vulnerability emerged in mid-December and Citrix released a security advisory for it on Dec. 17, warning customers of the issue. The weakness is a directory traversal vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway and it can allow an unauthenticated remote attacker to run arbitrary code. Citrix officials said they expect to begin releasing the first patches on Jan. 20, but some versions won’t have patches available until Jan. 31.
In the meantime, security researchers have been watching large-scale scanning by attackers searching for vulnerable installations and have observed active exploit attempts in several cases. There are at least two exploits available publicly, and attackers are actively using their own, as well. The two public exploits have been released on GitHub and both seem to work as intended to target the Citrix flaw.
“After the first exploit was released, TrustedSec released its exploit. It should be noted that TrustedSec held back on publishing until the first exploit was released. TrustedSec's exploit uses essentially the same method as the first exploit. But TrustedSec's exploit is written as a Python script and establishes a reverse shell,” said Johannes Ullrich, dean of research at the SANS Institute.
“Overall, TrustedSec's exploit is more professionally done and works very well. I had to make one small adjustment to make it work on my version of Citrix ADC. Over the last few hours, many other variations of the exploit have been released.”
Citrix ADC is a line of controllers designed to make application performance faster and increase availability. The appliances are widely used in data centers and enterprises.
Researchers at BadPackets detected large-scale scanning for the Citrix vulnerability from an IP address in Germany on Friday. The remote machine attempted to download a configuration file to any host that responded to the scan, indicating it was vulnerable.
“This configuration file doesn’t appear to contain highly sensitive information by default, however a successful response to the scan will indicate the targeted server is vulnerable to further attacks,” said Troy Mursch, chief research officer at BadPackets.
“On Sunday, January 12, 2020, our honeypots detected multiple CVE-2019-19781 exploit attempts from a host in Poland. This differed from the previous scanning activity as it conducted the actual remote code execution exploit and targeted ports 443, 2083, 2087, and 8443/tcp.”
The BadPackets researchers found a little more than 25,000 vulnerable endpoints in their scans.
Citrix has released some mitigation information for customers as they wait for the patches, and Fermin Serna, CISO of Citrix, said the company said the mitigations should help defend against attacks.
“These mitigations cover all supported versions and contain detailed steps designed to stop a potential attack across all known scenarios,” he said.
“We are currently working to develop permanent fixes. As with any product of this nature, and consistent with our policies and procedures, these fixes need to be comprehensive and thoroughly tested.”
The Department of Homeland Security has released a utility that customers can use to test their systems to see if they’re vulnerable.