What is the Citrix Gateway exploit? How should I respond?

Exploits Released for Citrix Application Delivery Controller (ADC) and Citrix Gateways

This weekend two Proof of Concept exploits were made publicly available, released 23 days after initial discovery, much earlier than the expected 30-90 day disclosure deadline.

Due to this public release of exploits, attackers have added these attacks to their tool kits and they are ramping up quickly. If you use impacted Citrix technologies and have not applied the mitigations yet, you must do so immediately.

Citrix ADC and Gateway of specific versions – detailed below – were found to be vulnerable to a directory traversal in late December 2019 and given a CVE identifier – CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller and Citrix Gateway.  This meant that an attacker could potentially run authenticated commands against your Citrix devices due to the directory traversal vulnerability.  

There was no exploit available and Citrix had released mitigations for affected versions – Mitigation Steps for CVE-2019-19781 at that point.  There were discussions between researchers about the potential of this vulnerability, but no examples were publicly available. 

How can this exploit be used?

An attacker is able to exploit the Citrix device through a vulnerable path to run any program, gather any data, or run any command on the device.  The reliability of this attack will vary depending on what the attacker is attempting to do, e.g., have persistent remote access versus get the contents of your running config. 

Scanning and attack traffic associated with this threat has already grown and will continue to do so.  This could allow an attacker access to your Citrix environment, to extract your configs with secrets, and run arbitrary code within the device. 

How Would I Know if I’m being targeted and What Should I Do?

If vulnerable, and an attack is detected, you should change secrets and restore from backup previous to the attack. If vulnerable but no attack was detected, you should be safe but must apply mitigations https://support.citrix.com/article/CTX267679. 

This attack can be detected through requests as it requires the attacker attempts to access the /vpns/ path on your Citrix device.  Any Blumira customers where this path attempt was detected have been notified. However, if Blumira does not have visibility in your Citrix environment you may need to check internal request logs at your Firewalls and at the Citrix device.   You can run this command on your Citrix device over SSH to grep your HTTP request logs to determine if requests occurred as well

ssh -t yoursshuser@address 'grep -r "/../vpns/" /var/log/http*'

Am I Impacted by the Citrix Vulnerability?

The following Citrix devices are impacted by this vulnerability and must be mitigated immediately – https://support.citrix.com/article/CTX267679.

• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

When is a fix expected by Citrix?

Right now Citrix does not have a patch for this vulnerability and only has target dates for it’s release.  This is likely a core component to the device which had unforeseen consequences which requires re-engineering forcing a slower release.  Blumira will notify affected organizations when the related patch is available for their impacted device.