Canadian Centre for Cyber Security Recommends Disconnecting Vulnerable Citrix Devices from the Internet

The Canadian Centre for Cyber Security has issued a security alert, advising Canadian organizations to disconnect their Citrix devices from the internet to prevent cyber-attacks.

According to the Canadian Centre for Cyber Security, ongoing exploitation of the security vulnerability in Citrix devices officially designated as CVE-2019-19781 has been observed within Canada. The security vulnerability in Citrix devices allows an attacker to gain direct access to an organization’s local network from the internet.

In exploiting this vulnerability, an attacker doesn’t need access to any accounts. As such, exploitation can be performed by any attacker.

Citrix, for its part, said that CVE-2019-19781, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. This vulnerability is rated Critical, with a vulnerability score of 9.8.

The following Citrix products are affected by the security vulnerability:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and Citrix Gateway version 12.1 all supported builds
  • Citrix ADC and Citrix Gateway version 12.0 all supported builds
  • Citrix ADC and Citrix Gateway version 11.1 all supported builds
  • Citrix ADC and Citrix Gateway version 10.5 all supported builds
  • Citrix SD-WAN WANOP software and appliance models 4000, 4100, 5000, and 5100 all supported builds

Here are the top reasons why your organization needs to consider disconnecting Citrix devices from the internet:

1. First to be Attacked

Depending on specific configuration, Citrix products are used for connecting to workstations and critical business IT systems. “In almost every case, Citrix applications are accessible on the company network perimeter, and are therefore the first to be attacked,” said Positive Technologies, the organization that first discovered CVE-2019-19781. “This vulnerability allows any unauthorized attacker to not only access published applications, but also attack other resources of the company’s internal network from the Citrix server.”

2. There’s no available patch for CVE-2019-19781

Even as Citrix disclosed CVE-2019-19781 to the public as early as December 17, 2019, to date, the company still hasn’t issued a patch or a security update to fix this security vulnerability. The company said that a patch will be released only this coming late January 2020.

3. Availability of Public Exploits

One of the reasons for the growing exploitation of CVE-2019-19781 in the wild is the availability of public exploits – referring to the publicly available proof-of-concept (PoC), showing how to exploit CVE-2019-19781.

Last January 10th, a group of security researchers calling themselves Project Zero India released the first PoC exploit code for the CVE-2019-19781 vulnerability. Security researchers at TrustedSec released their own PoC a few hours after.

“We are only disclosing this due to others publishing the exploit code first,” TrustedSec said in a description of their PoC on GitHub. “We would have hoped to have had this hidden for a while longer while defenders had appropriate time to patch their systems.”

According to researchers at FireEye, shortly after the release of the PoC, weaponized versions of the exploit were observed to gain a foothold in victim organizations’ networks.

Ongoing Exploitation of CVE-2019-19781 in the Wild

According to Positive Technologies, as of December 23, 2019, the security vulnerability found in Citrix devices puts networks of 80,000 companies in 158 countries at risk.

Active exploitation of CVE-2019-19781 has been going on since January 8th, security researcher Kevin Beaumont reported. “In my Citrix ADC honeypot, CVE-2019-19781 is being probed with attackers reading sensitive credential config files remotely using ../ directory traversal (a variant of this issue),” Beaumont said.

As of January 11, 2020, Bad Packets reported that over 25,000 Citrix devices remained vulnerable to CVE-2019-19781. According to Bad Packets, last January 12th, multiple CVE-2019-19781 exploit attempts from Poland were detected. The detected malicious activities from Poland, Bad Packets said, were different from the previous scanning activities as these conducted actual remote code execution exploit.

Researchers at FireEye recently reported that a threat actor has been observed exploiting CVE-2019-19781 and delivering never before seen payload dubbed as “NOTROBIN”. Upon gaining access to a Citrix device by exploiting CVE-2019-19781, researchers at FireEye said that the threat actor cleans up known malicious software (malware) and installs on the infected device NOTROBIN.

The researchers said NOTROBIN serves two purposes: the first purpose is to block subsequent CVE-2019-19781 exploitation attempts, and the second purpose is to maintain a backdoor access for people who know the secret passphrase for this backdoor. The researchers said that this backdoor could be used by the threat actor to collect information for a subsequent attack.

Mitigating Measures

Citrix provided a mitigating measure against CVE-2019-19781 exploitation. The mitigation involves configuration changes, requiring users to run commands from the command line interface of the Citrix device “to create a responder action and policy”. There have been reports, however, which showed that the mitigating measure provided by Citrix breaks under some circumstances and results in the access interference to the administration portal for legitimate users.

According to the Canadian Centre for Cyber Security, the mitigation steps provided by Citrix won’t be effective when applied to older versions and build. As such, the Cyber Centre calls on device owners to update to a newer build and apply the mitigation provided by Citrix.

In the event that the suggested mitigation can’t be applied on vulnerable Citrix devices, the Canadian Centre for Cyber Security recommends that vulnerable devices should be disconnected from the internet. “Due to the severity of this vulnerability and the amount of active exploitation being observed and reported in Canada and abroad, the Cyber Centre recommends that all vulnerable Citrix devices that cannot have mitigations applied to them be disconnected from the Internet,” Canadian Centre for Cyber Security said.

Considering the current state, your business might be vulnerable without you knowing it.

Call us today at (416) 920-3000 or email, and we will evaluate your infrastructure quickly and efficiently and will tell you if your organization is at risk. Our experts will help you every step of the way. Don’t delay, call now!

Leave a Reply

Your email address will not be published. Required fields are marked *