Digital workspace and enterprise networks vendor Citrix has announced a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway. If exploited, it could allow unauthenticated attackers to gain remote access to a company’s local network and carry out arbitrary code execution.
The Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to Mikhail Klyuchnikov, a researcher at Positive Technologies. The U.S accounts for about 38 percent of vulnerable organizations.
“This attack does not require access to any accounts, and therefore can be performed by any external attacker,” he noted in research released on Tuesday. “This vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company’s internal network from the Citrix server.”
While neither Citrix nor Positive Technologies released technical details on the bug (CVE-2019-19781), they said it affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5, according to the research.
“Citrix applications are widely used in corporate networks,” said Dmitry Serebryannikov, director of security audit department at Positive Technologies, in a statement. “This includes their use for providing terminal access of employees to internal company applications from any device via the internet. Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.”
Citrix released a set of measures to mitigate the vulnerability, including software updates, according to the researchers.
The vendor made security news earlier this year when cyberattackers used password-spraying techniques to make off with 6TB of internal documents and other data. The attackers intermittently accessed Citrix’ infrastructure between October 13, 2018 and March 8, the company said, and the crooks “principally stole business documents and files from a company shared network drive that has been used to store current and historical business documents, as well as a drive associated with a web-based tool used in our consulting practice.”
Password-spraying is a related type of attack to brute-forcing and credential-stuffing. Instead of trying a large number of passwords against a single account, in password-spraying the adversary will try a single commonly used password (such as “123456”) against many accounts. If unsuccessful, a second password will be tried, and so on until accounts are cracked. This “low and slow” method is used to avoid account lock-outs stemming from too many failed login attempts.
In the case of Citrix, which has always specialized in federated architectures, the FBI surmised in March that the attackers likely gained a foothold with limited access, and then worked to circumvent additional layers of security. That was backed up by evidence that the attackers were trying to pivot to other areas of the infrastructure.