critical vulnerability in
ADC and Gateway software that attackers started exploiting in
the wild earlier this month after the company announced the
existence of the issue without releasing any permanent fix.
I wish I could say, “better late than never,” but since hackers
don’t waste time or miss any opportunity to exploit vulnerable
systems, even a short window of time resulted in the compromise of
hundreds of Internet exposed Citrix ADC and Gateway systems.
As explained earlier on The Hacker News, the vulnerability,
tracked as CVE-2019-19781, is a path traversal issue that
could allow unauthenticated remote attackers to execute arbitrary
code on several versions of Citrix ADC and Gateway products, as
well as on the two older versions of Citrix SD-WAN WANOP.
Rated critical with CVSS v3.1 base score 9.8, the issue was
discovered by Mikhail Klyuchnikov, a security researcher at
Positive Technologies, who responsibly reported it to Citrix in
early December.
The vulnerability is actively being exploited in the wild since
last week by dozens of hacking groups and individual
attackers—thanks to the public release of multiple proofs-of-concept
exploit code.
According to cyber security experts[3], as of today, there are
over 15,000 publicly accessible vulnerable Citrix ADC and Gateway
servers that attackers can exploit overnight to target potential
enterprise networks.
FireEye experts found an attack campaign where someone was
compromising vulnerable Citrix ADCs to install a previously-unseen
payload, dubbed “NotRobin[4],” that scans systems for
cryptominers and malware deployed by other potential attackers and
removes them to maintain exclusive backdoor access.
“This actor exploits NetScaler devices using CVE-2019-19781 to
execute shell commands on the compromised device,” FireEye
said.
“FireEye believes that the actor behind NOTROBIN has been
opportunistically compromising NetScaler devices, possibly to
prepare for an upcoming campaign. They remove other known malware,
potentially to avoid detection by administrators.”
Citrix Patch Timeline: Stay Tuned for More Software
Updates!
Last week Citrix announced a
timeline, promising to release patched firmware updates for all
supported versions of ADC and Gateway software before the end of
January 2020, as shown in the chart.
updates, Citrix today released permanent patches for ADC
versions 11.1 and 12.0 that also apply to “ADC and Gateway VPX
hosted on ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a
Citrix ADC Service Delivery Appliance (SDX).”
“It is necessary to upgrade all Citrix ADC and Citrix Gateway
11.1 instances (MPX or VPX) to build 11.1.63.15 to install the
security vulnerability fixes. It is necessary to upgrade all Citrix
ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build
12.0.63.13 to install the security vulnerability fixes,” Citrix
said in its advisory.
“We urge customers to install these fixes immediately,” the company
said. “If you have not already done so, you need to apply the
previously supplied mitigation to ADC versions 12.1, 13, 10.5, and
SD-WAN WANOP versions 10.2.6 and 11.0.3 until the fixes for those
versions are available.”
The company also warned that customers with multiple ADC
versions in production must apply the correct version of patch to
each system separately.
Besides installing available patches for supported versions and
applying the recommended mitigation for unpatched systems, Citrix
ADC administrators are also advised to monitor their device logs
for attacks.
References
- ^
vulnerability in ADC and Gateway
(thehackernews.com) - ^
proofs-of-concept exploit code
(thehackernews.com) - ^
experts
(twitter.com) - ^
NotRobin
(www.fireeye.com) - ^
announced a timeline
(twitter.com) - ^
first batch of updates
(www.citrix.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/MZy5oDEycuI/citrix-adc-patch-update.html