Maksim Kabakou - Fotolia
Unpatched Citrix vulnerability expands as mitigations fall short
Citrix discovered another product affected by last month's vulnerability, while security researchers found an attacker blocking exploits of the vulnerability.
The Citrix vulnerability disclosed last month was found in another product as enterprises continue to wait for patches to arrive.
Citrix updated its advisory regarding CVE-2019-19781 on Thursday and added its SD-WAN WANOP to the affected products list, which had included Citrix Appliance Delivery Controller and Gateway. The vendor also noted that the mitigation procedures it had previously recommended would not work on certain builds of Citrix ADC 12.1.
UPDATE: Citrix announced on Jan. 19 that the first patches for the vulnerability were released ahead of schedule. Patches for Citrix ADC versions 11.1 and 12.0, which also apply to Citrix Gateway, are currentlyavailable. The company also announced that it had accelerated the release schedule for patches for SD-WAN WANOP and additional versions of ADC, which will now be released on Jan. 24.
Fermin Serna, chief information security officer at Citrix, told SearchSecurity the additions came as a result of the company's due diligence process.
"The vulnerability detected in Citrix SD-WAN is the same as the vulnerability detected in Citrix Gateway and was discovered when we realized that an older version of our SD-WAN appliance called the WANOP has a [NetScaler] load balancer on it by default and hence, would be impacted," Serna told SearchSecurity. "Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31 had a defect which didn't let the responder policy take effect in VPN vServers. Since our mitigation is based on responder policies, if any customer has a deployment which was not updated to later versions, the mitigation would not be effective. We wanted to call this defect out to ensure that our customers on NS 12.1 do not end up being at risk, just because they have not upgraded to 51.16/51.19/50.31 or later."
Citrix previously announced a schedule for software fixes tackling the issue, and added the patches for SD-WAN WANOP 10.2.6 and 11.0.3 to the expected release on Jan. 27.
NOTROBIN (Hood) attacks
While security researchers have seen attacks exploiting the Citrix vulnerability in honeypots, William Ballenthin, senior staff reverse engineer, and Josh Madeley, principal consultant, both at FireEye, discovered interesting attacks on customer systems using code they named NOTROBIN.
"Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign," Ballenthin and Madeley wrote in a blog post. "While we haven't seen the actor return, we're skeptical that they will remain a Robin Hood character protecting the internet from the shadows."
It is unclear the intent of the NOTROBIN attacker, but retaining backdoor access to systems presents a clear risk in contrast to the protection against exploitation of the Citrix vulnerability.
Ballenthin told SearchSecurity that FireEye has seen "more than a dozen organizations" with NOTROBIN-related activity and the first deployment of the code occurred on Jan. 12. He noted initial reconnaissance against vulnerable Citrix products as early as Jan. 7, but could not confirm it was the same threat actor.
"Attacks against CVE-2019-19781 are very common this week, because it is a critical vulnerability with an easy-to-use, public exploit. There are multiple actors scanning for vulnerable devices and opportunistically compromising Citrix NetScaler devices. Some deploy cryptominers, but not all," Ballenthin said. "For a single system, we saw around a dozen failed exploitation attempts. I believe that most/all of these would have succeeded if NOTROBIN had not been blocking them. This should provide an approximate scale of the scanning and exploitation activity."