Behind the scenes of Talos' coverage of the critical Citrix and Internet Explorer vulnerabilities

By Jon Munshaw. Contributions from Tyler Montier and Dalton Schaadt. 
Recent vulnerabilities Microsoft and Citrix disclosed in their software sent defenders scrambling. In both cases, the companies acknowledged there was a bug, and were still working on patches. The POC code had yet to hit the market, so for now, users were safe at least knowing a patch was on the way, hoping no attackers figured out how to exploit the vulnerability.
Cisco customers were already protected and didn’t need to wait on the developers to protect their products with a patch.

Citrix alerted users to CVE-2019-19781 on Dec. 17, 2019. At the time, there was no POC available and no patch from Citrix. However, thanks to the mitigations Citrix released, our analysts wrote a Snort rule to protect against attacks exploiting the underlying vulnerability, not just this specific bug. When POC code leaked two weeks later, users of the Citrix Application Delivery Controller (ADC) and Citrix Gateway were open to attack, but rule 52603 already accounted for these attacks, allowing Cisco Next-Generation Firewall and open-source Snort users to mitigate any attacks before the patches were released. The attack could allow an attacker to carry out directory traversal on affected servers, so the rules needed to protect users from any traversal attempts.
Two weeks later, Citrix also released the POCs, still before a patch was available. Talos analysts took the existing rules and tested them against the available POCs, eventually determining they also protected against this new vulnerability.
Talos’ analysts’ process kept any Cisco customers using affected Citrix products protected from day one, regardless of whether they had updated their Citrix products or even knew the vulnerability was out there.
A week after the Citrix POC code hit the scene, Microsoft disclosed CVE-2020-0674, a similar situation to that of the Citrix vulnerability. At the time, Microsoft released a temporary set of mitigation steps followed by an out-of-band patch and warned that it had seen “limited targeted attacks” exploiting this flaw. Cisco customers again were already ahead of the game, thanks to Snort rules 48699 – 48702, rules that originated from another vulnerability in 2018 that simply needed to be updated to match an exploit used in the more recent vulnerability.
Each case came with its own set of circumstances and hurdles, but the speed and accuracy with which Talos analysts worked on these Snort rules demonstrate that Talos’ unmatched visibility, intelligence and response makes a difference in the field in real-time.
Rules for CVE-2018-8653 — a remote code execution vulnerability in Internet Explorer’s scripting engine — were already available as part of another out-of-band release.
Thanks to an information-sharing agreement with Microsoft, Talos is alerted of the upcoming vulnerabilities in Patch Tuesday weeks ahead of time, allowing our analysts to have detection and protection ready right as Microsoft releases its own updates.
Once we received this information, our analysts turned it into detection that not only protects against this specific vulnerability but others of this type. Based on the information from Microsoft, our rules were adapted to multiple vulnerabilities by searching for specific types of objects and primitive objects. These types of rules are more difficult to create but are easier to use over and over again in the future for similar vulnerabilities.
The rules for that vulnerability were intentionally wide-reaching, as they protected against any attempts for an attacker to downgrade the scripting engine — the same tactics needed to exploit CVE-2019-1367, a CVE like 2018-8653 and 2020-0674. When Microsoft released the out-of-band patch earlier the previous year, the rules functioned as is, and only needed cosmetic adjustments, even when Microsoft did not have a patch ready.
Snort rules go through rigorous testing to mitigate potential false-positives and false-negatives. To better prevent false-positives or false-negatives for the rules used to detect CVE-2020-0674, analysts looked for artifacts that would point to potential attacks, including specific objects, keywords and primitive JavaScript types. This way, when the Snort rule fired, it fired correctly and only blocked malicious attempts to remotely execute code in Internet Explorer.
All the rules Talos generated for CVE-2018-8653 and modified for CVE-2019-1367 held up against 2020-0674.
These are just a few examples of what Talos researchers and analysts are producing daily. Keep an eye on Snort.org/advisories for the latest rule updates.