Unpatched Citrix Flaw Now Has PoC Exploits

Proof-of-concept (PoC) exploit code has been released for an unpatched remote-code-execution vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway products.

The vulnerability (CVE-2019-19781), which Threatpost reported on in December, already packs a double-punch in terms of severity: Researchers say it is extremely easy to exploit, and affects all supported versions of Citrix Gateway products and Citrix ADC, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web.

“The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system,” said Qualys researchers in an analysis last week. “Once exploited, remote attackers could obtain access to private network resources without requiring authentication.”

A patch will not be available until late January, Citrix has announced. That leaves various systems worldwide open to the flaw — and now, with PoC exploits available on GitHub, researchers expect exploit attempts to skyrocket.

Exploit PoC Code

Over three weeks after CVE-2019-19781 was first disclosed (on Dec. 17), this past weekend PoC exploit code for was released Friday by “Project Zero India,” which describe themselves as “a group of security researchers from India, inspired by Google’s Project Zero.”

The PoC exploit consists of two curl commands: One to write a template file which would include a user’s shell command, and the second request to download the result of the command execution.

After Project Zero India released its exploit, another PoC exploit was released by security research group TrustedSec. This PoC was similar to the first, except it was written in Python and established a reverse shell.

Security expert Kevin Beaumont, who dubbed the vulnerability “Shitrix,” said on Twitter that the exploit PoC code means “this is going to get very messy.”

https://twitter.com/GossiTheDog/status/1215782882540695552

In addition, researchers have also released scanners and honeypots to see if various servers are vulnerable to CVE-2019-19881.

The Flaw

Citrix did not disclose many details about the vulnerability in its security advisory, however, Qualys researchers said that the mitigation steps offered by Citrix suggest the flaw stems from the VPN handler failing to sufficiently sanitize user-supplied inputs.

“The exploit attempt would include HTTP requests with ‘/…/’ and ‘/vpns/’ in the URL. The responder policy rule checks for string “/vpns/” and if user is connected to the SSLVPN, and sends a 403 response,” according to Qualys researchers.

According to the Bad Packets Report, over 25,000 servers globally — with the most in the U.S., Germany and the UK – are vulnerable to CVE-2019-19781.

https://twitter.com/bad_packets/status/1216635462011351040

Affected by the vulnerability are: Citrix ADC and Citrix Gateway version 13.0 all supported builds, Citrix ADC and NetScaler Gateway version 12.1 all supported builds, Citrix ADC and NetScaler Gateway version 12.0 all supported builds, Citrix ADC and NetScaler Gateway version 11.1 all supported builds and Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds.

Mitigations

“Citrix expects to have firmware updates in the form of refresh builds to be available across all supported versions of Citrix ADC and Citrix Gateway before the end of January 2020,” according to the Citrix security advisory.

A patch will be released on Jan. 20 for Citrix ADC versions 11/12 and 13, while a patch for version 10 will be released Jan. 31, according to Citrix.

In the meantime, Citrix has released mitigation steps for CVE-2019-19781. Researchers are also urging customers to check their systems for exploit attempts using “grep” for requests that contain “vpns” and “…”.

Security experts like Dave Kennedy took to Twitter meanwhile to warn customers to apply mitigations until a patch is available.

> Can’t emphasize enough – please please please do the mitigation steps for the Citrix exploit as soon as possible.
>
> This is going to be a really bad one folks.
>
> Easy to automate and exploit and is widely used across the Internet.
>
> Mitigation here: <https://t.co/jeF0UC6A9V&gt;
>
> — Dave Kennedy (ReL1K) (@HackingDave) January 11, 2020

Mikhail Klyuchnikov of Positive Technologies, Gianlorenzo Cipparrone and Miguel Gonzalez of Paddy Power Betfair plc were credited with finding the flaw.

Concerned about mobile security?Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security__, on Jan. 22 at 2 p.m. ET.Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time.****Click here to register.