With an estimated 25,000 hosts still vulnerable and proof-of-concept (PoC) exploit code now being released, things went from bad to worse for those affected by the vulnerability CVE-2019-19881. In December, Mikhail Klyuchnikov, a researcher at Positive Technologies disclosed a vulnerability that would allow for direct access to a company’s network from the Internet. He stated that this vulnerability affects all versions of Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway). Klyuchnikov also stressed how severe this vulnerability was, stating that its exploitation would be trivial, and that it would have a widespread effect on commercial organizations. Dmitry Serebryannikov, another researcher at Positive Technologies stated that "Citrix applications are widely used in corporate networks. This includes their use for providing terminal access of employees to internal company applications from any device via the Internet.” At the time, it was estimated that the vulnerability affected more than 80,000 companies, most operating within the United States. While no technical details were available at the time, we now know that the vulnerability is a result of the VPN handler failing to sanitize usersupplied inputs. This allows for an unauthenticated attacker to perform remote code execution via directory traversal.
It wasn’t until January 10th, 18 days after Positive Technologies released their report, that the first PoC was publicly released by Project Zero India. Some researchers felt that this release was irresponsible as many systems were still vulnerable and an official patch had not yet been released. Despite this, the cat was now out of the bag and many researchers then began to drop their own PoC’s. One day later, the weaponization of these PoC’s began. Reports of exploits implementing reverse shells and the development of automated scanners began to pop up. Those operating honeypots observed a spike in activity after these releases and reported up to 30,000 requests per hour. As for the total number of systems still affected, out of 60,000 scanned Citrix endpoints, it was determined that 25,121 or around 40 percent of them were still vulnerable. System administrators should be aware of this vulnerability and if their organization is vulnerable, take the steps necessary to remediate the issue. That includes following and implementing the remediation steps within Citrix’s security bulletin. The Cybersecurity and Infrastructure Security Agency (CISA) released a program that would allow system administrators to check if they are vulnerable to CVE-2019-19781. Citrix has announced the release of patches that will fix this issue starting on January 20th and extending through January 31st.