Critical Citrix Vulnerability Exploited

The Threat

The security community has observed active exploitation targeting Citrix vulnerability CVE-2019-19781 [1] which allows code execution via simple directory traversal [2][3]. In observed cases, the threat actor was observed querying credential configuration on active honeypots, implying an opportunistic campaign. Due to the ease of this exploit, observation of active exploitation, and the possibility of credential theft, eSentire Threat Intelligence recommends immediately following the mitigation steps provided by Citrix.

What we’re doing about it

• eSentire is actively monitoring the situation and researching detection methods.

What you should do about it

• Mitigation steps have been published by Citrix [4] that require a technical resource to implement configuration changes.

Additional information

This vulnerability allows simple directory traversal by a remote attacker in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. No patches have been made available at this time.

• Dec 16 - Vulnerability publicly disclosed by Citrix [1]
• Dec 16 - Mitigation steps provided by Citrix [3]
• Dec 23 - Positive Technologies comments on the potential impact of the vulnerability [5]
• Dec 31 - SANS releases a speculative proof of concept [2]
• Jan 8 - Active exploitation of honeypot environment observed by researcher Kevin Beaumont [1]

References:

[1] https://support.citrix.com/article/CTX267027

[2] https://twitter.com/GossiTheDog/status/1214892555306971138

[3]https://isc.sans.edu/forums/diary/Some+Thoughts+About+the+Critical+Citrix+ADCGateway+Vulnerability+CVE201919781/25660/

[4] https://support.citrix.com/article/CTX267679

[5] https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/