Exploits targeting the recent Citrix Application Delivery Controller (ADC) vulnerability have already been published online, yet security patches will not be available for at least another week.
Impacting both Citrix ADC and Citrix Gateway (previously known as NetScaler ADC and NetScaler Gateway), the vulnerability is tracked as CVE-2019-19781 and could lead to code execution without authentication, Citrix revealed on December 17, 2019.
The company also provided details on the steps organizations should take to mitigate exposure to this vulnerability but, three weeks after the flaw was made public, over 39,000 systems without the mitigation enabled were found, and adversaries were already scanning for the vulnerability.
Now, Citrix says it is working on security updates to patch the vulnerability, but estimates that at least one more week would pass before the first patches are released.
Specifically, the company expects patches for versions 11.1 and 12 of the affected products next Monday, on January 20, updates for versions 12.1 and 13 on January 27, and fixes for version 10.5 on January 31.
“We are currently working to develop permanent fixes. As with any product of this nature, and consistent with our policies and procedures, these fixes need to be comprehensive and thoroughly tested,” Citrix reveals.
The company also notes that, amid reports of network scans aimed at detecting vulnerable systems, applying the previously published mitigations are the path to staying secure. It also believes that only a limited number of devices are exploitable, as many deployments are behind firewalls.
According to Johannes B. Ullrich, dean of research at the SANS Technology Institute, the scans for vulnerable Citrix ADC systems that he has observed for the past couple of weeks have turned into full-blown exploitation attempts lately.
The escalation is not surprising, as two working exploits have already been published online. One comes from "Project Zero India" and the other from TrustedSec, which said it released the exploit only because other researchers released theirs.
The first exploit essentially includes two curl commands: one to write a template file containing a shell command, and the second to download the result of the command execution.
The second exploit essentially uses the same method, but is delivered in the form of a Python script that also establishes a reverse shell. Ullrich says he has observed many other variations of the exploit being released within several hours.
“We do see heavy exploitation of the flaw using variations of both exploits. Most attempts follow the ‘Project Zero India’ pattern, which is likely simpler to include in existing exploit scripts. Much of the scanning we have been seen so far is just testing the vulnerability by attempting to run commands like ‘id’ and ‘uname’,” the researcher says.
Some of the observed exploitation attempts, he reveals, would seek to fetch additional code, with one of the retrieved samples being a Perl backdoor.
In addition to applying the recommended mitigations, organizations can check whether their deployments are vulnerable or whether they have already been compromised using the following command.
“A 200 response means you are vulnerable. A 403 response indicates that the workaround is in place. A 404 response likely indicates that this is not a Citrix ADC or other vulnerable system,” Ullrich notes.
TrustedSec has published a comprehensive guide on how to verify whether a system has been compromised or not.