As many of you have heard by now a major vulnerability to the Citrix Netscaler platform was announced before the holidays. At that time the vulnerability was not widely known or for that matter understood. Since that time we have seen bad actors using several tools to bypass corporate security mechanisms. From what we’ve seen at Critical Path Security this breach has the potential to affect every Citrix customer with a Citrix Netscaler gateway deployed.
The fact that Citrix has been very quiet on this vulnerability considering they were hacked last year and suffered a significant data breach, is very disconcerting to say the least. Even at this moment, we have not heard how this breach at Citrix occurred or if it is somehow related to the Netscaler gateway vulnerability. The vulnerability is a path traversal bug that can be easily exploited over the internet by an attacker. The attacker does not have to provide authentication credentials for the device when launching an attack. All an attacker has to do is send a boobytrapped request to the vulnerable Citrix appliance, along with the exploit code they want to execute on the device. Even customers with 2FA are susceptible. By gaining direct access to the device virtual IP, no matter how secure your deployment is, this patch combined with constant network monitoring becomes your best defense.
The discovered vulnerability was assigned identifier CVE-2019-19781. The vendor has not officially assigned a CVSS severity level to this vulnerability as of yet, but our Critical Path Security experts believe this exploit can be one of the most significant we've seen to date. This vulnerability affects all supported versions of the product, and all supported platforms, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5. From our analysis, the complete exploit chain requires just two HTTPS requests to achieve full remote command execution. The first request establishes the crafted template, and the second invokes the command when the template is processed. It is important to note, however, that certain payloads will cause NetScaler to excessively log errors until it fills up the /var partition.
With the whole of Citrix’s client base exposed, Critical Path Security has been hard at work understanding the scope of this vulnerability. It is estimated almost 60,000 Netscaler Gateway login pages exist and only a third of these are patched (39,378 of the 58,620 scanned IPs were vulnerable). It is alarming that so many organizations are currently at risk in such a sensitive part of their organization. Each one of these devices is an opportunity for criminals or spies to gain access to restricted networks and impersonate authorized users.
Critical Path Security is here to help. Our team has been working with our partners to deploy this fix for all of our existing customer base. While the patch seems to resolve the issue we are still closely monitoring this as even with the patch there is still a possibility that organizations can still be at risk. There are many variations of the exploit and we are still just at the beginning of the various methods this exploit is being deployed. For defenses, the Citrix workaround ("patch") is still the r best bet. If you haven't applied it yet, please reach out to Critical Path Security asap. Our team has developed a process to ensure that your systems have not been exploited before we apply the patch. By combining this fix with the Leargas network security appliance we can confidently monitor network traffic and ensure that bad actors aren't able to bypass the corporate network using a hybrid or other toolset to gain access to the corporate network.