Posted on November 13, 2021 at 9:48 AM
Citrix announced that it discovered a DDoS vulnerability that caused it to shut down its network and affected its ADC and gateway. The company also said the bug affected its availability of SD-WAN appliances.
With the critical security bug in the Citrix Gateway and Citrix application, attackers could crash the entire corporate network without any authorization.
The two impacted Citric products are used to secure remote access and for application-aware traffic management.
Vulnerability Has Already Been Patched
The company stated that a patch to the vulnerability has already been released. The bug is tracked as CVE-2021-22955 and enables unauthenticated denial of service because of uncontrolled resource consumption.
The second flaw is tracked as CVE-2021-22956 and enables temporary disruption of the management GUI of a device.
This is the Nitro API that configures and monitors NetSCaler appliances programmatically, which allows distributed computing in Citrix settings.
The exploitation has had a major impact as all the three affected products are deployed globally. ADC and Gateway alone have been installed by more than 80,000 companies in 158 countries, based on an assessment from Positive Technologies.
When any of the appliances is disrupted, it could prevent branch and remote access to corporate resources. It could also result in the general blockchain of cloud and virtual assets.
Citrix Customers Not Affected
The type of vulnerability makes them very attractive to threat actors, especially on the Gateway and ADC in particular.
Although Citrix did not provide technical details of the vulnerability, the exploitation of the CVE-2021-22955 tends to be very difficult. According to VulnDB, exploitation of the bug can only happen within the local network. Additionally, attacking the bug does not require any kind of authentication. And despite rating the bug as critical by Citrix, it has been assigned a severity score of 5.1.
VulnDB also reported that the cost of exploitation on the bug can be worth about $5,000 but manipulation with an unknown input can result in denial of service vulnerability.
For the first Citrix ADC and Gateway vulnerability, the appliances have to be configured as an AAA or VPN virtual server to be available. For the second vulnerability, the appliances must have access to SNIP or NSIP with access to the management interface. However, Citrix said customers using its cloud-managed services are not affected by the DDoS attack. It said the servers are still protected by the DTLS.
The Datagram Transport Layer Security (DTLS) is a communications protocol used for securing delay-sensitive services or apps that use datagram transport. The design of the DTLS prevents tampering or eavesdropping, as well as the protection of data privacy.
Citrix earlier patched a bug that could give threat actors access to exploit its system, although this is a low severity case. According to the firm, the bug was caused by unmanaged resource usage, which affects both the Citrix SD-WAN WANOP edition appliance and previous Citrix SD-WAN products.
In December last year, Citrix warned its customers that threat actors are taking advantage of the firm’s ADC products to carry out DDoS attacks. At the time, the firm notified that the attack is affecting a limited number of customers.
Citrix ADC And Gateway Exposed Again
Citrix ADC was formerly called NetScaler ADC. It is used as a network appliance to enhance the performance of applications and improve security functionality.
Citrix has also had issues with cyber attackers who are exploiting known vulnerabilities in their products.
In December 2019, security researchers discovered a critical RCE vulnerability and disclosed it as a zero-day. The bug was not easy to patch as it took the vendor several weeks to provide an update.
Last year, multiple bugs were discovered that could enable code injection, denial of service, and information disclosure. Many of them are exploited by unauthorized remote threat actors.
The ADC and Gateway, after being exposed to security risks last year, became exploitable by threat actors. However, Citrix released a patch for the flaw earlier in January this year. But, it seems other vulnerabilities were pre-existing before the patch was made, as exposed by the recent attack.
The latest attack on the ADC products was first discovered earlier this month by Marco Hofman, a security researcher at German software company Anaxco Gmbh. He stated that the threat actors are targeting port UDP:443 used by Citrix products.
The company has also advised customers to install updates and reconfigure modules to prevent any further exploitation.