Citrix has quickened its rollout of patches for a critical vulnerability (CVE-2019-19781) in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts.
Several versions of the products still remain unpatched – but they will be getting a patch sooner than they were slated to. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timeframe, saying fixes are forthcoming on Jan 24 (Friday of this week).
Also, Citrix patched Citrix ADC and Citrix Gateway version 11.1 (with firmware update Refresh Build 22.214.171.124) and 12 (firmware update Refresh Build 126.96.36.199) on Jan. 19 — a day earlier than it had expected to.
The versions that Citrix expects to patch on Jan. 24 include Citrix ADC and Citrix Gateway version 10.5 (with Refresh Build 10.5.70.x), 12.1 (Refresh Build 12.1.55.x), 13 (Refresh Build 13.0.47.x), as well as Citrix SD-WAN WANOP Release 10.2.6 (with Citrix ADC Release 188.8.131.525) and Citrix SD-WAN WANOP Release 11.0.3 (Citrix ADC Release 184.108.40.2065).
When it was originally disclosed in December, the vulnerability did not have a patch, and Citrix announced it would not be issuing fixes for the gateway products and ADC (formerly called NetScaler ADC), a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web, until “late January.”
However, in the following weeks after disclosure, various researchers published public proof-of-concept (PoC) exploit code for the flaw. At the same time, researchers warned of active exploitations, and mass scanning activity, for the vulnerable Citrix products.
CVE-2019-19781 mass scanning activity from these hosts is still ongoing. https://t.co/pK4Qus1eAo
— Bad Packets Report (@bad_packets) January 14, 2020
In one unique case of exploitation, researchers at FireEye said last week that a threat actor was targeting vulnerable Citrix devices with a previously-unseen payload, which they coined as “NOTROBIN.”
Researchers said that the attack group behind the payload appeared to be scanning for vulnerable ADC devices and deploying their own malware on the devices, which would then delete any previously-installed malware. Researchers suspect that the threat actors may be trying to maintain their own backdoor access in compromised devices.
“Upon gaining access to a vulnerable NetScaler [ADC] device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign,” researchers said.
With patches now being available or soon to be rolled out, security experts urge customers to update as soon as possible.
“CISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP once the appropriate firmware updates become available,” according to a Monday CISA alert on the patches. “The fixed builds can be downloaded from Citrix Downloads pages for Citrix ADC and Citrix Gateway. Until the appropriate update is accessible, users and administrators should apply Citrix’s interim mitigation steps for CVE-2019-19781.”
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.