According to Positive Technologies over 80,000 companies in 158 countries were at risk. In less than a minute, an external attacker could get inside the companies’ internal networks.

Citrix announced in December that a vulnerability in its Application Delivery Controller and Gateway software had been discovered. Per a Citrix spokesperson, the company has taken measures to address the vulnerability, issuing to its customers a series of steps that would neutralize attacks. Citrix has been working on a code fix to eliminate the problem.

Mikhail Klyuchnikov, Positive Technologies expert, discovered a critical vulnerability in Citrix Application Delivery Controller¹ (NetScaler ADC) and Citrix Gateway (NetScaler Gateway). The critical vulnerabilities were uncovered and disclosed before Christmas 2019.

”If that vulnerability is exploited, attackers obtain direct access to the company’s local network from the Internet. This attack does not require access to any accounts, and therefore can be performed by any external attacker”.

Positive Technologies experts determined that at least 80,000 companies in 158 countries were potentially at risk.

Further research by Bad Packets revealed nearly 10,000 Citrix servers at risk in the US, over 2,500 in Germany, around 2,000 in the UK, and over 1,100 in Australia and Switzerland.

The discovered vulnerability was assigned identifier CVE-2019-19781. The vendor has not officially assigned a CVSS severity level to this vulnerability yet, but Positive Technologies experts believe it had the highest level, a 10². This vulnerability affected all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5.

Depending on specific configuration, Citrix applications can be used for connecting to workstations and critical business systems (including ERP). In almost every case, Citrix applications are accessible on the company network perimeter, and are therefore the first to be attacked. This vulnerability allows any unauthorized attacker to not only access published applications, but also attack other.

Troy Mursch, a researcher at Bad Packets, said in a blog post that further exploitation of the vulnerability could be used by threat actors for a number of different purposes, including spreading ransomware and installing cryptominers. Multiple compromised servers could also be weaponised and turned into components of a distributed denial of service (DDoS) attack.

Other security researchers have revealed that scanning activity targeting vulnerable Citrix servers has dramatically increased in the past few weeks, although this is not necessarily evidence of compromise. 

Admittedly, Citrix reacted quite quickly and released a set of measures to mitigate this vulnerability, insisting on immediate update of all vulnerable software versions to the recommended ones.

In an update, Citrix’s Fermin Serna said: “We immediately started our security response process that involves, among other actions, variant analysis and mitigation development. Due to the increased risk of vulnerability leaks and the potential for an uncoordinated disclosure, we published a security advisory with detailed mitigations”. “These mitigations cover all supported versions and contain detailed steps designed to stop a potential attack across all known scenarios. We are currently working to develop permanent fixes.” – added Serna in January.

To date, the producer has released the permanent fixes for all supported versions of ADC, Gateway, and SD-WAN WANOP, including recently permanent fix for Citrix Application Delivery Controller (ADC) version 10.5 to address the CVE-2019-19781 vulnerability. Thus, the crisis related to the major vulnerability identified in the Citrix software seems to be averted.

„Citrix applications are widely used in corporate networks. This includes their use for providing terminal access of employees to internal company applications from any device via the Internet. Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat,” says Dmitry Serebryannikov, Director of Security Audit Department, Positive Technologies. „On a separate note, we want to point out that the vendor responded very promptly, by creating and releasing a set of risk mitigation measures within just a couple of weeks after the vulnerability was discovered.

According to Positive Technologies, companies can use web application firewalls to defend against attacks.

To fend off potential attacks, companies can also use web application firewalls. For example, PT Application Firewall can detect this attack out of the box. The system must be set to block all dangerous requests to ensure protection in real time. Considering how long this vulnerability has been around (since the first vulnerable version of the software was released in 2014), detecting potential exploitation of this vulnerability (and, therefore, infrastructure compromise) retrospectively becomes just as important. Starting December 18, 2019, PT Network Attack Discovery users can use special rules detecting attempts to exploit this vulnerability online.

This is not the first time that Positive Technologies experts have detected a vulnerability in Citrix software. In 2012, Positive Technologies experts detected and helped to eliminate multiple vulnerabilities in Citrix XenServer. Vulnerabilities of such severity are not often found in the products of leading software manufacturers. In this case, the frequency may be five to ten years. So the risk still exists.

Please be informed that TSplus software is the best alternative to Citrix. In 2019, TSplus was acknowledged by the Silicon Valley tech journal, CIO Review magazine, as one of the Most Promising Citrix Solutions Providers.

We also offer a reliable companion tool to protect your servers – TSplus Advanced Security, which is the perfect complement to the basic TSplus product. With TSplus Advanced Security (former RDS-Knight), Administrators can use a wide array of flexible tools to control access to remote servers.


Positive Technologies

Computer Weekly