Citrix Releases First Patches to Fix Severe VulnerabilityResearchers Discovered Software Flaw in December
Citrix has released the first of several fixes that address a vulnerability in its Application Deliver Controller and Gateway products discovered by security researchers in December.
This vulnerability, which security researchers say is already being exploited in the wild, could allow an attacker to perform arbitrary code execution and gain access to a target company's internal network and applications.
The first of the patches to fix the vulnerability in Application Delivery Controller and Gateway versions 11.1 and 12 were available as of Sunday, earlier than the company had originally expected, says Fermin Serna, the CISO of Citrix, which is based in Fort Lauderdale, Florida.
On Friday, Citrix plans to release patches for the other affected versions of Citrix Application Delivery Controller, which was formerly known as NetScaler ADC, and Citrix Gateway, which was previously known as NetScaler Gateway.
The vulnerability, which is tracked as CVE-2019-19781, was first discovered in December by researchers at Positive Technologies. Citrix had previously released mitigation strategies to help customers until the release of patches.
"We urge customers to immediately install these fixes," Serna notes in a blog post. "There are several important points to keep in mind in doing so. These fixes are for the indicated versions only; if you have multiple ADC versions in production, you must apply the correct version fix to each system."
In addition, Citrix will release a fix for its SD-WAN WANOP product on Friday, Serna notes. The company has also released a verification tool to help customers ensure that all the patches are applied correctly.
When security researcher Mikhail Klyuchnikov of Positive Technologies first desecribed the vulnerability on Dec. 23, he noted that the bug could leave some 80,000 companies in 158 countries at risk.
A flaw in the widely used Application Deliver Controller and Gateway products could give hackers access to an internal network even if a company or organization was using firewalls or two-factor authentication to help guard against such as attack, security researchers warned.
With the Citrix vulnerability - it does *not* just apply to the management interface, the Citrix information is wrong - it also applies to VIPs. Firewall protection also doesn't help if you have it exposed to the internet (which is kinda the point of Citrix Gateway). https://t.co/LjdERAKA7I— Kevin Beaumont (@GossiTheDog) January 13, 2020
Proof-of-concept code to take advantage of the vulnerability began appearing around Jan. 11 on GitHub (see: Severe Citrix Flaw: Proof-of-Concept Exploit Code Released).
In addition, security researchers, such as Troy Mursch of Chicago-based threat intelligence firm Bad Packets, began noticing large upticks in scanning activity as attackers were trying to locate vulnerable systems.
On Friday, security firm FireEye released its own report that showed attacks on vulnerable Citrix applications were increasing over the past week.
In one case, the FireEye researchers discovered one threat actor targeting vulnerable Citrix applications behind a Tor node to help disguise their identity, according to the report. Analysts also noted that this attacker used a new type of payload, which they call "NotRobin," to attack vulnerable apps.
The NotRobin payload not only works as a backdoor into Citrix applications, but also removes malware from other threat actors and then blocks further access to the app, according to FireEye.
"It periodically scans for and deletes files matching filename patterns and content characteristics," according to the FireEye report. "The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NotRobin provides backdoor access to the compromised system."
Other Security Concerns
Over the last year, Citrix has been hit with other security concerns as well.
Citrix and the FBI announced an investigation last March of an apparent penetration of the company's network and theft of business documents by hackers (see: Citrix Hacked by Password-Spraying Attackers, FBI Warns).
That investigation later showed that the bad actors had access to the company's network for six months before being expelled.