Proof-of-concept code published for Citrix bug as attacks intensify

Starting with yesterday, there is now public proof-of-concept exploit code for CVE-2019-19781, a vulnerability in Citrix enterprise equipment that can allow hackers to take over devices and access a companies’ internal networks.

The vulnerability is as bad as it gets and has been deemed one of the most dangerous bugs disclosed in recent years.

Codenamed Shitrix by the larger infosec community, this vulnerability impacts Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway.

The vulnerability is a path traversal bug that can be exploited over the internet by an attacker. The attacker does not have to provide authentication credentials for the device when launching an attack. All an attacker has to do is send a boobytrapped request to the vulnerable Citrix appliance, along with the exploit code they want to execute on the device.

The bug was discovered and reported to Citrix by Mikhail Klyuchnikov, a researcher at UK security firm Positive Technologies. Klyuchnikov said that at the time he found the bug, there were more than 80,000 organizations running vulnerable Citrix instances.

Still no patch almost a month later

On December 17, Citrix released a security advisory for its customers, but the company did not release a patch. Instead, Citrix published a support page detailing mitigations in the form of configuration adjustments.

Almost a month later, Citrix has still not released a patch, despite the bug’s severity and its wide impact.

In the meantime, threat actors have been starting to figure out how to exploit the bug — which many security researchers said was trivial and only required a few lines of code.

Scans have been happening for weeks, but exploitation attemps have also begun for at least three days, according to various security experts and cyber-security firms who run honeypot servers.

The bug’s severity and the clear danger to enterprise systems did not go unnoticed. Over the past few weeks, security experts, government officials, government cybersecurity agencies, CERT teams, and about anyone under the sun who understands basic enterprise security have been warning companies to apply the Citrix mitigations to prevent attacks from exploiting vulnerable machines until Citrix finally releases a permanent fix in the form of a patch.

Proof-of-concept code broadly available

While attacks have been slowly climbing in intensity over the past few days, the security community believed things wouldn’t get out of hand, as attackers would still need to figure out a way to exploit vulnerable Citrix systems, lacking a public exploit.

This changed yesterday, on Friday night, when a group of security researchers calling themselves Project Zero India released the first proof-of-concept (PoC) exploit code for the CVE-2019-19781 vulnerability.

A few hours later, the team at TrustedSec followed with their own PoC. The TrustedSec team had developed their PoC earlier this week but refused to release it because it was aware that publishing the code on the internet would trigger a spike in exploitation attempts, something they did not want to do.

“We are only disclosing this due to others publishing the exploit code first,” TrustedSec said in a description of their tool on GitHub. “We would have hoped to have had this hidden for a while longer while defenders had appropriate time to patch their systems.”

The security firm hopes that companies use their tool to test their networks for vulnerable Citrix instances and if they configured the Citrix mitigation correctly.

They’ve also published a blog post on how to analyze Citrix systems for any possible compromise, just in case some companies have had the unfortunate luck to have already been hacked.

Additional technical write-ups analyzing the Citrix bug: Positive Technologies, MDSec, TrustedSec.