This vulnerability is a bold reminder of the need to build around “presume compromise.” Whether a vendor is late with a patch, an adversary has 0-day, or a mistake happens, we need to be less dependent on fixing any one issue and should assume compromise will happen and work forward from there.
CVE-2019-19781 was published before a patch, with only manual mitigations available. The Randori team built a working exploit in less than 24 hours, based upon the disclosure and supporting public analysis. The same must be true for any skilled attacker.
So while this vulnerability is now in the spotlight with the release of public exploits, it’s safer to assume that the issue has been exploitable to adversaries for a long time, and to a broader group starting back on December 18th: 24 hours after the initial public disclosure.
Even now, with the existence of public exploits, meaningful information about the efficacy of protections, or exact circumstances under which exploitation can occur aren’t clear. So if you’re defending a network, you probably don’t feel confident. But this issue reminds us of the larger challenge: we’re still chasing bugs, and haven’t gotten to resilience in the face of compromise. This news cycle occurs every time a public exploit makes news; equivalent exploitation happens all the time without it being news too.
On December 17, 2019, Citrix disclosed an unauthenticated remote code execution (RCE) vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway, assigned CVE-2019-19781.
The disclosure included recommended mitigation steps, which divulged enough information to create an exploit for the vulnerability. Affected systems include:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Here is a summary of the situation. If you’ve applied mitigations and would like Randori to test them (and your holistic security program), you can sign up for a free trial here.
1. Proof-of-concept exploits are available for CVE-2019-19781.
On Friday, Jan 10, multiple working exploits were released to the wild, along with an uptick in hunting for vulnerable hosts.
Randori successfully developed a PoC exploit and can confirm that affected systems can be compromised. Exploiting the disclosed vulnerability results in user-level access and requires additional exploits to gain full control of the system or root access.
As a result, this is our current Target Temptation scoring for Citrix/NetScaler Gateway:
2. Patches will be available end of January. Citrix has provided mitigation recommendations.
If you are impacted, reference Citrix’s official recommendations here: https://support.citrix.com/article/CTX267679.
Note: You need “Responder Action & Policies” as part of your Citrix license. For assistance applying the mitigation, contact Citrix support.
Firmware updates in the form of refresh builds will be available between January 27-31.
3. Honeypots and scans reveal a spike in opportunistic interest.
Even without root access, this vulnerability poses a high level of risk. Due to the nature of the affected products, compromise likely gives an attacker access to target internal systems. While the suggested remediations are effective, without a patch, the systems are still vulnerable and should have special attention paid to monitoring and detections. If Citrix represents a security boundary in your environment, prioritize remediation and visibility.
Assess your attack surface to determine if you are vulnerable.
Early estimates note that 80,000 systems are at risk. Over 30% of our customers were impacted and were notified by email on Jan 11.
For our latest on CVE-2019-19781, check out our real-time Randori Attacker Notes.
Randori Attack Team
Get a free Randori Recon report to understand your external exposure.