Unpatched Citrix vulnerability now exploited, patch weeks away
On December 16, 2019, Citrix revealed a vulnerability in the company’s Application Delivery Controller and Gateway products—commercial virtual-private-network gateways formerly marketed as NetScaler and used by tens of thousands of companies. The flaw, discovered by Mikhail Klyuchnikov of Positive Technologies, could give an attacker direct access to the local networks behind the gateways from the Internet without the need for an account or authentication using a crafted Web request.
Citrix has published steps to reduce the risk of the exploit. But these steps, which simply configure a responder to handle requests using the text that targets the flaw, breaks under some circumstances and might interfere with access to the administration portal for the gateways by legitimate users. A permanent patch will not be released until January 20. And as of January 12, over 25,000 servers remain vulnerable, based on scans by Bad Packets.
This is not surprising, considering the number of Pulse Secure VPNs that have not yet been patched over six months after a fix was made available, despite Pulse Secure executives saying that they have “worked aggressively” to get customers to patch that vulnerability. And given that vulnerable Pulse Secure servers have been targeted now for ransomware attacks, the same will likely be true for unprotected Citrix VPN servers—especially since last week, proof-of-concept exploits of the vulnerability began to appear, including at least two published on GitHub, as ZDNet’s Catalin Cimpanu reported.
A one-two punch
The vulnerability allows the remote execution of commands in just two HTTP requests, thanks to a directory traversal bug in the implementation of the gateway’s Web interface. The attacks use a request for the directory “/vpn/../vpns/” to fool the Apache Web server on the gateway to point to the “/vpns/” directory without authentication. The attacks then inject a command based on the template returned from the first request.
Even if the attacks don’t work, there’s the risk of denial of service—errors created by requests could quickly fill up the /var/ directory of a targeted gateway, causing the system to crash.
Turning the exploit into a successful attack—and moving into the targeted network—may not be as simple as with exploits of Pulse Secure, however. The Citrix NetScaler products are based on FreeBSD—which in itself may have prevented some less skilled attackers not familiar with the operating system from going very far with attacks. Of course, Citrix is using a heavily modified version of FreeBSD with custom-written networking code—one based on an older version of the operating system for which Citrix has to write its own patches.
The Cybersecurity and Infrastructure Security Agency (CISA) has now released a test to check for the vulnerability.