It’s been more than two weeks since researchers went public with a critical vulnerability in products made by corporate VPN service provider Citrix that could give a hacker free rein over the many enterprise networks that use the software.
Now, with a complete patch for the vulnerability still unavailable, cybersecurity experts are exhorting organizations to address the issue.
“It’s extremely important to apply the mitigation steps and recognize that there is no patch for this,” said Dave Kennedy, founder of cybersecurity company TrustedSec, adding that he has already seen attackers scanning for vulnerable systems.
“We have a working exploit, and it took us under a day to develop it,” Kennedy told CyberScoop. “Attackers have the same capabilities.”
The flaw, discovered by cybersecurity company Positive Technologies, is in a Citrix cloud-based application delivery tool, as well as a product that allows remote access to the company’s applications. Based on the popularity of the software tools, Positive Technologies claimed that the vulnerability could affect tens of thousands of companies. CyberScoop has requested an estimate of the number of devices affected from Citrix.
“Lots of good security architectures appropriately rely on Citrix to reduce the attack surface significantly and now they are at significant risk,” Rob Joyce, a senior official at the National Security Agency, said in a tweet urging users to patch the vulnerability.
The Citrix RCE is a doozie. Lots of good security architectures appropriately rely on Citrix to reduce the attack surface significantly and now they are at significant risk. Get this patched. https://t.co/7B9d7e7YK7
— Rob Joyce (@RGB_Lights) January 10, 2020
The challenge is there isn’t a full-fledged patch for the flaw, only a stop-gap measure, known as a “workaround,” that Citrix provided last month. The company has said it will release a firmware update to fully address the issue.
On Saturday, a day after this story was published, Citrix announced that it was still working on permanent patches for the product versions affected by the vulnerability, and that those would be rolled out over the next three weeks. “These fixes need to be comprehensive and thoroughly tested,” Citrix CISO Fermin J. Serna wrote in a blog post, explaining why the patches weren’t ready.
Serna contended that “a limited number of devices are exploitable” because “many deployments are behind the firewall.”
But Kennedy and other security experts strongly disputed the notion that only a small number of devices could be exploited.
“Limited Number” https://t.co/2ROcRM8DDL
— Chase Dardaman (@CharlesDardaman) January 13, 2020
Kennedy said that a patch from Citrix could address the full suite of security implications of the vulnerability — rather than just the directory traversal that the workaround addresses.
Meanwhile, researchers like Kennedy have quietly built exploits for the Citrix vulnerability in order to bolster defenses, much like they did for the critical BlueKeep vulnerability in old Windows operating systems that emerged last May.
Security company MDSec on Friday released its own study of the Citrix vulnerability and how it might be exploited.
“Due to the number of devices impacted, MDSec have decided to not provide a ready-made exploit for this vulnerability,” wrote Rio Sherri, a security consultant at the company.
“However, we are aware of multiple actors who have now weaponized this vulnerability and felt it important to share this research so others can take appropriate action,” Sherri added.
UPDATE, 01/13/20, 9:38 a.m. EDT: This story has been updated with a statement from Citrix.