Positive Technologies: Potential Risks Include DDoS, Phishing and Malware Attacks
Researchers at Positive Technologies say they discovered a vulnerability in enterprise software offerings from Citrix that potentially could put 80,000 companies in 158 countries at risk of a cyberattack.
Citrix has issued patches to mitigate the risk, urging users to promptly apply them. The vulnerability could leave companies at risk of DDoS, phishing, malware and cryptocurrency mining attacks, the Positive Technologies researchers say.
Researcher Mikhail Klyuchnikov reports he found the critical vulnerability in Citrix Application Delivery Controller and in Citrix Gateway. The vulnerability, CVE-2019-19781, affects all supported versions of enterprise products, including Citrix ADC and Citrix Gateway 13.0, Citrix ADC and NetScaler Gateway 12.1, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1, and also Citrix NetScaler ADC and NetScaler Gateway 10.5, Klyuchnikov says. It allows unauthorized access to published applications and other internal networks resources from the Citrix servers.
“Citrix applications are widely used in corporate networks,” says Dmitry Serebryannikov, director of the security audit department at Positive Technologies. “This includes their use for providing terminal access of employees to internal company applications from any device via the internet. Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.”
Risk Mitigation Plan
Positive Technologies says it reported the vulnerability to Citrix in early December. Citrix responded quickly with risk mitigation measures, the researchers say.
Citrix warned that if exploited, the vulnerability “could allow an unauthenticated attacker to perform arbitrary code execution.” Serebryannikov says.
To fend off potential attacks, companies can also use web application firewalls, Serebryannikov says. The system must be set to block all dangerous requests to ensure protection in real time. Considering how long this vulnerability has been around, detecting potential exploitation of this vulnerability – and, therefore, infrastructure compromise – retrospectively is important, he says.
Citrix recommends configuration changes in the stand-alone system and running commands from the command line interface of the appliance to create a responder action and policy, according to a statement on its website. It says the configuration changes need to apply to the management as well to detect the vulnerabilities.
These steps should start with a reboot as a precautionary step to ensure that if there are any open sessions, obtained via the vulnerability prior to policy application, they are cleared, Serebryannikov says.
Klyuchnikov warns that because the vulnerability has existed since 2014, it’s as important to look for any existing exploitations and infrastructure compromises as it is to defend against potential attacks.
In another incident in March, Citrix reported the theft of business documents by hackers from its servers (see: Citrix Hacked by Password Spraying Attackers: FBI Warns ).