On Friday, January 10, 2020, honeypots have detected internet-wide opportunistic scanning activity targeting vulnerable Citrix endpoints. This critical vulnerability allows unauthenticated remote attackers to execute commands on the targeted server after chaining an arbitrary file read/write (directory traversal) flaw.
The honeypot scans have found this vulnerability affects multiple Citrix servers of organizations in the healthcare industry. Due to the sensitive nature of this vulnerability, the affected Citrix endpoints detected by partner scans will not be shared publicly.
Given the ongoing scanning activity detected by security researchers, it is likely that attackers have enumerated all publicly accessible Citrix ADC and Citrix (NetScaler) Gateway endpoints vulnerable to CVE-2019-19781. Perch Security and security researchers at Bad Packets report this vulnerability is actively being exploited by malicious actors.
Organizations with vulnerable Citrix infrastructure on the Bad Packets list are being notified directly by the Threat Operations Center as they are enumerated.
Analysis
Honeypots have detected internet-wide opportunistic scanning activity targeting Citrix endpoints vulnerable to CVE-2019-19781. The vulnerability is a path traversal bug that can be exploited over the internet by an attacker. The attackers do not have to provide authentication credentials for the device when launching an attack. The attackers must just send a boobytrapped request to the vulnerable Citrix appliance, along with the exploit code they want to execute on the device.
Mitigation Recommendations
Citrix has not released a patch. However, Citrix has published a support page detailing mitigation in the form of configuration adjustments available here.
Additionally, we recommend maintaining an offsite backup of critical data to protect against loss of integrity or availability of data in the event of a breach.
Recognition & References
- Over 25,000 Citrix (Netscaler) Endpoints Vulnerable to CVE-2019-19781
- Mitigation Steps for CVE-2019-19781
- Proof-of-concept code published for Citrix bug as attacks intensify