According to scans by security specialist Troy Mursch of the Chicago-based Bad Packets security consultancy, nearly 500 Citrix servers in the UK are still vulnerable to the critical security flaw designated CVE-2019-19781, despite final firmware and patches having been made available for all affected versions of as January 24, 2020.
The flaw currently applies to the Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 software and Citrix Application Delivery Controller (ADC).
Bad Packets describes the vulnerability as follows:
“This critical vulnerability allows unauthenticated remote attackers to execute commands (RCE) on targeted Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers after chaining an arbitrary file read/write (directory traversal) flaw. Further exploitation can allow threat actors to gain a foothold inside private networks and conduct further malicious activity, such as spreading ransomware.”
Under CVSS 3.x vulnerability metrics, CVE-2019-19781 is rated 9.8 out of 10, indicating a high level of threat, especially since it enables arbitrary code to be executed by an unauthorised intruder. It emerged towards the end of last year, at which point affected users were advised to shut down servers until patches were made available. Citrix did suggest some mitigation measures but later admitted that these may not suffice for installations running earlier firmware. This led the Dutch National Centre for Cybersecurity to also recommend shutting down servers pending a patch, adding:
“If the impact of switching off the Citrix ADC and Gateway servers is not acceptable, the advice is to closely monitor for possible abuse. As a last risk-limiting measure you can still look at whitelisting specific IP addresses or IP blocks.”
While Citrix has faced criticism for not moving fast enough in its response, it did release a final set of patches on January 24. Despite the vulnerability being known about for some time, as well as reports that hacking groups were shifting their focus to Citrix servers, many servers were still vulnerable at the end of January.
The Bad Packets scan report identified 474 vulnerable Citrix servers in the UK, which is down from the 2,028 identified before the release of patches, but still substantial. This compares poorly with Germany, which had more (2,510) vulnerable servers before the patches but less than half as many (238) afterwards. It seems UK organisations are slower to apply the patches despite Citrix and FireEye releasing a free scanner to assess the risk of compromise.
These systems remain open to compromise. Indeed, some may have been compromised already by more covert hackers quietly extracting data for sale on the dark web, or they may just be patiently waiting before initiating a more destructive attack.
Making use of available patches as soon as possible is a basic principle of good cybersecurity, but at Pro-Networks, we understand that it can be hard to stay informed about every threat that emerges, never mind apply patches while maintaining uptime. Fortunately, with our network management services, our engineers can put out fires before they become a problem.