A critical Citrix vulnerability (CVE-2019-19781) is currently under mass exploitation in January 2020. To detect if your organisation is compromised, Redscan has developed a script that will examine your host.
The Citrix ADC / NetScaler path traversal flaw is under active and widespread exploitation in the wild to attack networks indiscriminately. A proof of concept exploit has been publicly disclosed and a large number of organisations are at risk.
Paul Sutton, Head of Research and Development, Redscan Labs, commented:
“If your organisation is using an insecure Citrix ADC appliance then you should assume it has been compromised. In addition, any credentials used with the appliance, such as for a VPN gateway, should be also be considered compromised – including where centralised authentication mechanisms such as LDAP are configured.
“Unfortunately, these appliances cache credentials and it is trivial to obtain hashes after successful exploitation, which can then be cracked. Attackers are then using these credentials to gain access to internal environments, like Windows domains.
“We strongly recommend that organisations take immediate action to identify if they have been compromised and patch this vulnerability as soon as possible. Enforcing 2FA on VPN services and forcing password resets across all user accounts with VPN access is also recommended.”
“Before patching, we recommend that system administrators use our script to gather all relevant data from the affected host. Applying patches will likely require a reboot, which can lead to the destruction of evidence.”
George Glass, Level 3 Threat Hunter, said:
“We have identified active exploitation of this vulnerability in the wild over the last week. The intrusions have been seen in a few flavours, the majority of which stem from the tool ‘Citrixmash’, which generates a back door with high privileges (a reverse shell running as root). Other variants have been installing ‘Cryptominers’. We have put together a script which can aid in the Digital Forensics and Incident Response (DFIR) process, which checks for signs of compromise.”
Which Citrix devices are affected?
The vulnerability affects these product versions and platform builds:
- Citrix Application Delivery Controller (10.5, 13.0)
- Citrix NetScaler Gateway (10.5, 11.1, 12.0, 12.1)
- Citrix SD-WAN WANOP (appliance models, 4000, 4100, 5000, 5100)
What actions should you take?
Be sure not to reset/restart the appliance prior to establishing whether compromise has occurred, as this can destroy indicators left behind by a successful exploitation.
We recommend that you take the following actions:
- A HTTP 200 response from the following command should confirm if the host is vulnerable:
curl https://<host>/vpn/../vpns/cfg/smb.conf –path-as-is
- Get the Redscan Labs script from GitHub to collect useful logs on your Citrix appliance.
- Check the Citrix website for patches. To-date, only patches for ADC versions 11.1 and 12.0 have been released.
- As mitigation steps may not fully address the vulnerability, Citrix has released a verification tool. Available on the Citrix website.
- Firewalls and IPS systems have signatures available to detect this – ensure any systems and signatures are up to date.
Further information on mitigation steps is available from the Citrix knowledge base.