Last December, we were startled by reports that Citrix ADC (formerly Citrix NetScaler) was leaking. Citrix ADC makes it possible, for example, to log in externally (from home or another location) to the network of the company you work for. In this article I explain what the Citrix leak CVE-2019-19781 is all about, provide information about the patch and tell how to deal with leaks like this Citrix leak in an organization.
To give you an example of where Citrix is so used: many municipalities, hospitals and multinationals use this application with Citrix ADC. By the way, not only Citrix ADC but also: Citrix Gateway, Citrix Netscaler, Citrix Netscaler ADC and Citrix SD-WAN WANOP.
Through this vulnerability, it is possible to execute code remotely(remote code execution) on the Citrix ADC and then gain access to the corporate network. In short, a malicious party can thus gain access to the system that Citrix ADC is supposed to protect. The malicious person then gets so-called "admin" rights and can therefore do anything on the network. Think, for example, of gaining access to sensitive information and personal data.
Because patches were not readily available, Citrix decided to issue mitigation plans. Briefly, they involve the following:
Whitelisting IPs.
Only allow certain IP addresses. Effective but costs a lot of management resources. Especially in large organizations where many employees connect to the corporate network from outside, it is almost impossible to whitelist all IP addresses that are allowed to connect.
Web Application Firewall (WAF).
It is possible, if not already done, to place the entire Citrix environment behind a WAF. It is then possible to apply filters to control traffic and thus make it more difficult for malicious parties to carry out an attack.
For version 12.1 build 50.28, the measures to be taken as shown above did not always appear to work. So there is a good chance that a system running on this version has been compromised. This means that a malicious person has been in the system.
The National CyberSecurity Center, NCSC already wrote about this and therefore recommended taking this system offline anyway.
A patch is a solution to the problem that arose. It closes the leak and makes the system safe(r) again. However, a patch is only effective if the network has not been compromised. Otherwise, it is still possible for a malicious party to gain access to the network, even after the patch.
Patches have since been issued by Citrix. A list can be found below:
NetScaler version 11.1 build 63.15
We recommend following the steps below. This will ensure you minimize the impact of the leak.
It is good to check first whether the system is vulnerable. It is also the verification tool used to determine if the patches have done their job. The tool can be downloaded here. CISA also issued a tool.
It should be clear that this vulnerability is great and has great consequences. The lesson to be learned from this is to have a plan ready. Of course it's true that you can't describe every vulnerability but you as an organization need to know what to do when systems like Citrix are plagued with vulnerabilities like this one.
That's why it's good to have a plan:
Make sure you are well prepared. For example, who should be alerted if such a problem occurs?
How does the organization deal with a vulnerability on this scale?
If the organization depends on this system (critical system) can this system go offline? Is this accepted loss?
How can the damage be minimized? Consider backups, redundancy in systems and shutting down systems. Segmenting networks is also part of this.
It was mentioned above that the mentioned mitigation on version 12.1 build 50.28 makes no sense. So there may have been a malicious person in the system. Is it possible to do forensics to rule this out or just collect evidence?
Eventually, the system has to start running again. So what about eradicating the problems and the possibility of recovery?
Jochen den Ouden is the instructor of the course Mindset of a hacker which will take place in Utrecht on March 9, 2020.
Every day in the news we hear about cyberattacks, hackers and data breaches. But how does a hacker actually work? How can you arm yourself and your organization against this form of crime? You do that by thinking and working like a hacker.
In addition to a higher awareness of cybersecurity, the student gains insight into what six steps a hacker takes to obtain data.
Learn more about the course Mindset of a hacker
This article can also be found in the files Information Security and Data Breach
