Experts warn of ongoing scans for Citrix servers affected by CVE-2019-19781

Pierluigi Paganini January 09, 2020

Threat actors are probing Citrix servers in the attempt to exploit the CVE-2019-19781 remote code execution vulnerability.

Security researchers are warning of ongoing scans for Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers affected by the CVE-2019-19781 vulnerabilities.

The anomalous activities were detected last week, as reported by the popular expert Kevin Beaumont.

SANS Technology Institute’s Dean of Research Johannes B. Ullrich also confirmed the scans for vulnerable Citrix systems, he also added that no public exploits are yet available for this issue.

“Currently, I have not seen an actual “exploit” being used. But there is some evidence that people are scanning for vulnerable systems.” wrote Ullrich. “Based on some of the errors made with these scans, I would not consider them “sophisticated.” There is luckily still no public exploit I am aware of. But other sources I consider credible have indicated that they were able to create a code execution exploit.”

“A vulnerability  has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.” reads the security advisory published by Citrix.

The issue affects all supported product versions and all supported platforms:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

It has been estimated that 80,000 companies in 158 countries are potentially at risk, most of them in the U.S. (38%), followed by the UK, Germany, the Netherlands, and Australia. 

The CVE-2019-19781 vulnerability was discovered by Mikhail Klyuchnikov from Positive Technologies. 

“If that vulnerability is exploited, attackers obtain direct access to the company’s local network from the Internet. This attack does not require access to any accounts, and therefore can be performed by any external attacker.” reads the post published by Positive Technologies.

“Positive Technologies experts determined that at least 80,000 companies in 158 countries are potentially at risk.”

CVE-2019-19781 Citrix

The expert pointed out the exploitation of the vulnerability does not require access to any accounts, for this reason, the issue could be triggered by any external attacker to achieve unauthorized access to published applications and other internal network resources from the Citrix servers.

Depending on the configuration of the servers, Citrix applications can be used for connecting to workstations and critical business systems. Considering that Citrix applications are accessible on the company network perimeter, the flaw could allow attackers to attack other resources in the internal network from the Citrix server. 

“Citrix applications are widely used in corporate networks,” explained Dmitry Serebryannikov, director of the security audit department at Positive Technologies. “This includes their use for providing terminal access of employees to internal company applications from any device via the Internet. Considering the high risk brought by the discovered vulnerability, and how widespread Citrix software is in the business community, we recommend information security professionals take immediate steps to mitigate the threat.” 

Despite this, he also added that credible sources “have indicated that they were able to create a code execution exploit.”

Citrix has released measures to mitigate the flaw, it recommends to update of all vulnerable software versions.

Positive Technologies pointed out that the vulnerability was introduced in the Citrix software in 2014, for this reason, it is important to also detect past exploitation of the flaw.

The popular expert Florian Roth also provided a Sigma detection rule for detecting CVE-2019-19781 exploitation attempts against Citrix Netscaler, Application Delivery Controller, and Citrix Gateway Attack.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CVE-2019-19781, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment