Unpatched Citrix Flaw Now Has PoC Exploits

citrix unpatched bug

Over 25,000 servers globally are vulnerable to the critical Citrix remote code execution vulnerability.

Proof-of-concept (PoC) exploit code has been released for an unpatched remote-code-execution vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products.

The vulnerability (CVE-2019-19781), which Threatpost reported on in December, already packs a double-punch in terms of severity: Researchers say it is extremely easy to exploit, and affects all supported versions of Citrix Gateway products and Citrix ADC, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web.

“The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system,” said Qualys researchers in an analysis last week. “Once exploited, remote attackers could obtain access to private network resources without requiring authentication.”

A patch will not be available until late January, Citrix has announced. That leaves various systems worldwide open to the flaw — and now, with PoC exploits available on GitHub, researchers expect exploit attempts to skyrocket.

Over three weeks after CVE-2019-19781 was first disclosed (on Dec. 17), this past weekend PoC exploit code for was released Friday by “Project Zero India,” which describe themselves as “a group of security researchers from India, inspired by Google’s Project Zero.”

The PoC exploit consists of two curl commands: One to write a template file which would include a user’s shell command, and the second request to download the result of the command execution.

After Project Zero India released its exploit, another PoC exploit was released by security research group TrustedSec. This PoC was similar to the first, except it was written in Python and established a reverse shell.

Security expert Kevin Beaumont, who dubbed the vulnerability “Shitrix,” said on Twitter that the exploit PoC code means “this is going to get very messy.”

https://twitter.com/GossiTheDog/status/1215782882540695552

In addition, researchers have also released scanners and honeypots to see if various servers are vulnerable to CVE-2019-19881.

Citrix did not disclose many details about the vulnerability in its security advisory, however, Qualys researchers said that the mitigation steps offered by Citrix suggest the flaw stems from the VPN handler failing to sufficiently sanitize user-supplied inputs.

“The exploit attempt would include HTTP requests with ‘/../’ and ‘/vpns/’ in the URL. The responder policy rule checks for string “/vpns/” and if user is connected to the SSLVPN, and sends a 403 response,” according to Qualys researchers.

According to the Bad Packets Report, over 25,000 servers globally — with the most in the U.S., Germany and the UK – are vulnerable to CVE-2019-19781.

https://twitter.com/bad_packets/status/1216635462011351040

Affected by the vulnerability are: Citrix ADC and Citrix Gateway version 13.0 all supported builds, Citrix ADC and NetScaler Gateway version 12.1 all supported builds, Citrix ADC and NetScaler Gateway version 12.0 all supported builds, Citrix ADC and NetScaler Gateway version 11.1 all supported builds and Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds.

“Citrix expects to have firmware updates in the form of refresh builds to be available across all supported versions of Citrix ADC and Citrix Gateway before the end of January 2020,” according to the Citrix security advisory.

A patch will be released on Jan. 20 for Citrix ADC versions 11/12 and 13, while a patch for version 10 will be released Jan. 31, according to Citrix.

In the meantime, Citrix has released mitigation steps for CVE-2019-19781. Researchers are also urging customers to check their systems for exploit attempts using “grep” for requests that contain “vpns” and “..”.

Security experts like Dave Kennedy took to Twitter meanwhile to warn customers to apply mitigations until a patch is available.

Mikhail Klyuchnikov of Positive Technologies, Gianlorenzo Cipparrone and Miguel Gonzalez of Paddy Power Betfair plc were credited with finding the flaw.

Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.

Suggested articles

What the New OWASP Top 10 Changes Mean to You?

The OWASP top 10 list of critical security risks will have a big impact on how businesses address application security moving forward. The changes to the list will require businesses to reevaluate their application security posture holistically. Learn more about the most significant changes that have emerged and how businesses can address them.

API Shadow

Bring Your APIs Out of the Shadows to Protect Your Business

APIs are immensely more complex to secure. Shadow APIs—those unknown or forgotten API endpoints that escape the attention and protection of IT¬—present a real risk to your business. Learn how to identify shadow APIs and take control of them before attackers do.