Six months ago, a critical vulnerability found in software made by Citrix set off an uncomfortable few weeks for the virtual private networking vendor and the Fortune 500 companies that rely on its products.
It took Citrix a month to release a software fix, well after researchers were warning that malicious hackers were actively exploiting the vulnerability. Even with a fix available, Chinese spies conducted a sweeping operation that took advantage of the software flaw in critical infrastructure sectors.
On Tuesday, Citrix revealed 11 new vulnerabilities in those same cloud-based and remote access products. This time, the Florida-based VPN service provider is hoping to head off attacks by having patches available immediately. The vulnerabilities, under certain conditions, could allow an attacker to inject malicious code into a network running Citrix software, or conduct a denial-of service attack on virtual servers. Citrix urged customers to install the fixes.
There haven’t been any reports of malicious hackers exploiting the vulnerabilities, according to Fermin J. Serna, Citrix’s chief information security officer.
The new bugs likely won’t have as big of a security impact as the Citrix vulnerability that emerged in December, according to Justin Elze, a principal security consultant at security company TrustedSec. Exploiting many of the new bugs requires access to the IP address used to manage the software. That, generally speaking, isn’t sitting on the internet.
But Elze warned against complacency. He pointed to a critical vulnerability in a similar software interface made by another vendor, F5 Networks. In a lot of organizations, the F5 software was needlessly exposed online and ripe for exploitation. Both the F5 and Citrix vulnerabilities show why it’s important to keep those interfaces on a secure network, Elze said in an email.
Maarten Boone, a researcher who discovered one of the 11 new bugs, said he decided to take a look at Citrix’s software after all of the hacking that stemmed from the last Citrix vulnerability. To encourage Citrix customers to update their software, he plans to release a proof-of-concept exploit for the privilege-escalation vulnerability he found.