Posted on January 10, 2020 at 1:58 PM

Citrix Servers Discovered to be Vulnerable to Cyberattackers

Researchers have revealed that some cyber attackers are exploring weaknesses in the ADC and Gateway products in the Citrus servers. The researchers disclosed this malware attack in December as the malware impacts NetScaler ADC as well as the NetScaler, known as the Citrus Gateway.

Positive Technologies initially reported the hacking attempt when it said the system’s weakness allows directory traversal. When this weakness is exploited, the threat actors can carry out Remote Code Execution attacks on the system.

It should be noted that this is not the first time Citrix has discovered a security breach or vulnerability in their system. Last year March, it discovered a security breach due to weak account credentials. During the attack, the threat actors were able to infiltrate the internal networks and hacked some critical business documents.

Affected vulnerable products

The security advisory board at Citrix has mentioned the list of products affected by the breach. They include the Gateway 10.5 version, gateway 11.1 version, 12.0, 12.1, as well as the gateway 13.0 version of the products.

The security board also stated there are more than 800,000 users from about 157 countries who make use of the ADC products. According to the firm, these numbers could be vulnerable to cyberattacks if the breach continues.

But users in the U.S. are more at risk because they dominate the large numbers of users of ADC. Presently, 38% of the users are residents in the U.S. The company also has significant users in Australia, Netherlands, Germany, and the United Kingdom. Citrix application is used to connect critical businesses and workstations

According to Positive Technologies, the portal is vulnerable to attack because Citrix application is first accessible from the firms’ network perimeter.

The breach gives unauthorized access to hackers or other attackers to the company’s applications as well as other programs listed on the company’s internal network. When they breach the network server of Citrix, they can reach other sections of the server and infiltrate the system, according to Positive Technologies.

Researchers still exploring other vulnerabilities

Bleeping Computer reported on January 8 that security researchers had discovered some loopholes in the Citrix servers that potential hackers are looking to exploit. Researcher Kevin Beaumont said on Twitter that some attackers are reading highly classified credential configuration files using directory traversal.

? In my Citrix ADC honeypot, CVE-2019-19781 is being probed with attackers reading sensitive credential config files remotely using ../ directory traversal (a variant of this issue). So this is in the wild, active exploitation starting up. ? https://t.co/pDZ2lplSBj

— Kevin Beaumont (@GossiTheDog) January 8, 2020

According to him, the hackers are not making use of public exploit codes. Even if they want to exploit that option, it is presently not happening. He reiterated that the attackers did not use sophisticated measures to infiltrate the system, adding that some of the attack attempts were merely GET requests.

Measures for mitigation

Although Citrix has not yet issued a firmware that would patch up the vulnerability, the firm has released some mitigation steps for both clusters and standalone systems. The company has asked its users to apply these mitigation steps to avoid being a victim of any cyberattack.

It also said that when the firmware version for the vulnerability patch is released, customers should make sure their system is completely updated with the new appliance firmware. Also, Citrix has asked customers to subscribe to bulletin alerts to know exactly when the new firmware would be updated and released.

Dmitry Serebryannikov, director at Positive Technologies, said that many corporate networks make use of the Citrix applications. Via the application, the companies can provide terminal access to their employees through the platform.

Considering how broad the Citrix app has gone into the business community and the high risk of vulnerability, the researchers have asked Citrix security experts to find the root of the matter. According to them, it would help to discover everything about the breach on time to mitigate any future threats around the systems.

The security researchers also urged IT administrations to run sets of commands to help patch up the vulnerability and create a strong line of defense against any future cyber attackers in the system. While advising customers, Citrix said the affected customers should immediately apply the changes for the upgrade when it’s released. They should also upgrade other vulnerability appliances with the soon to be released firmware.