On December 17th 2019, Citrix released a security bulletin notifying partners and customers of a security vulnerability present in all versions of Citrix ADC.
This vulnerability enables remote unauthenticated access to the filesystem and execution of arbitrary code on a Citrix ADC Appliance. Shortly after, Citrix provided a mitigation which would prevent the exploitation of this vulnerability.
On January 8th 2020, a detailed article was published by TripWire covering high level details of the vulnerability and on the January 10th the first public proof of concept was released for an exploit.
From the 11th of January mass-scanning of the internet for vulnerable systems was taking place, with security organisations such as FireEye observing systems being compromised.
An article from BadPackets (click here to read) identified as many as 25,000 internet accessible deployments without the mitigation steps in place.
On January 16th, Citrix identified a number of Citrix SD-WAN WANOP appliances which were also vulnerable to this issue (models 4000, 4100, 5000 and 5100).
On January 20th Citrix released updated firmware for version 11.1 and 12.0 Citrix ADC appliances and on January 24th Citrix released all other firmware releases for the ADC/WANOP Appliances.
What does this mean for me?
If you applied the mitigation covered here on or shortly after December 17th 2019, then you are likely to be protected. Public exploits did not exist until January 10th 2020, so unless you are a high-risk organisation that may be subject to targeted attacks then you are lower risk for being compromised.
It should be noted that an exception to this is if you have firmware version 12.1 build 50.28 which may not be fully protected unless you have run the “skip_systemaccess_policyeval” component of the mitigation due to a responder policy processing bug.
If you have Citrix Gateway appliances (rather than Standard, Advanced or Premium) then you will not be able to apply the mitigation as the responder feature is not available in that license edition. On request, Citrix Support will be able to provide a trial license for Premium Edition to allow for the mitigation to be implemented. The trial license will be valid for 90 days to allow time for the firmware to be upgraded.
If however you did not apply the mitigation until more recently, then there is a higher risk that your system may have been compromised. This could mean as little as someone having remotely executed a simple test against your system, however it could also mean that an attacker may have accessed more sensitive appliance configuration. It is also possible that scripts could be executed on the Citrix ADC Appliance to gain further access into your network or access sensitive resources.
What should I do?
As mentioned before, the mitigation provided by Citrix provides suitable protection against all known exploits of the vulnerability. New firmware releases addressing the vulnerability have just been released for certain versions and platforms, and others due for release imminently. More details of the new firmware releases are included in the security bulletin here: the latest security bulletin.
If you were late implementing the mitigation or have not yet done so, implement the mitigation as soon as possible.
All firmware updates for Citrix ADC & WANOP appliances are available to download for all customers with or without current support agreements.
It is recommended that customers with the mitigation in place should follow their standard change management and testing processes to ensure no disruption to service. An issue has been identified in the new releases which may impact on customers using SMS based RADIUS challenge-response authentication from certain vendors (Azure MFA Server is not understood to be affected). The mitigation policies protect against all known current exploits, therefore provide a good level of protection in the interim.
How can I tell if we have been compromised?
Citrix have recently released a tool to help identify any indicators of known exploits on your Citrix ADC or SD-WAN WANOP platform, and more details of this is available here.
This Bash script can be uploaded and executed on any version of Citrix ADC and SD-WAN WANOP to detect signs of potential compromise of the appliance. NOTE: This is based upon currently known attacks and exploits. Customers should be aware that this tool will not detect a compromise 100% of the time and will not indicate if an appliance is vulnerable to exploitation.
Customers are encouraged to ensure that their appliances have the recommended mitigation in place on their appliances and to plan an upgrade to a firmware version with the fix for the vulnerability included. Customers with the mitigation in place will be protected against any further exploits, however neither applying the mitigation nor upgrading firmware will remove any artefacts to a prior exploit.
If you have appliances which did not have the mitigation in place prior to the high-risk period following January 9th are advised to contact Citrix Support for assistance in detection and remediation.
Where can I get help?
Customers with an Ultima or Citrix Support contract can request assistance in detecting and removing any active exploit. It is important to note that just upgrading the firmware may not remove any artefacts or scripts which a remote attacker may have placed on your system.
Ultima can provide support and guidance on detecting and removing common exploitations of this vulnerability; however this is best approached in tandem with Citrix Support to provide a concerted approach to ensuring the security of your appliances. Ultima have been closely working with our managed services customers to ensure they are protected and will continue to monitor the situation until new firmware releases are deployed.
For further guidance on this issue or to request technical assistance, please speak to your Ultima Account Manager.
An intelligent financial services firm is nimble, slick and clever. It out-performs its competitors by out-innovating them...
Successful execution of strategy requires alignment in every part of the business. Pockets of excellence are not enough. You need intelligence at every level – from the foundations up...
An intelligent business is nimble, slick and clever. It out-performs its competitors by out-innovating them. And it’s built on intelligent infrastructure from the foundations up...