The Citrix flaw, CVE-2019-19781, was first identified in December 2019. The vulnerable products include the Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway). Despite Citrix having shared mitigations to prevent attacks, proof-of-concent codes were released to the public, potentially fueling a series of exploits against CVE-2019-19781.
According to Citrix, the vulnerabilities impacted the following: Citrix NetScaler ADC & NetScaler Gateway v. 10.5 on all supported builds; Citrix ADC & NetScaler Gateway v 11.1, 12.0, 12.1 on all supported builds; and Citrix ADC & and Citrix Gateway v 13.0 on all supported builds.
As soon as the security flaw was brought to the public’s attention, it was found that some 80,000 companies across 158 countries are running vulnerable installations. Impacted companies are located in the Netherlands, Australia, United Kingdom, Germany, and the United States.
Working PoC Exploits against the CVE-2019-19781 Citrix Flaw
According to the latest information, there are working exploits against the CVE-2019-19781 flaw. Cybercriminals have been attempting to exploit the vulnerability and gain access of unpatched devices. Now, thanks to the working proof-of-concept exploits, attackers can perform easily arbitrary code execution attacks without the need of account credentials.
Even though Citrix hasn’t come up with a patch, mitigations were presented for the various affected companies to implement and prevent security incidents. Now, thanks to the working PoC exploit attackers are starting to actively exploit the flaw, and those who haven’t applied the mitigations were probably already compromised.
This is all bad news, especially when security experts and nearly everyone who has a basic understanding of network security has been warning the community of the danger. And the danger got quite real with the release of the first working proof-of-concept code coined by a group of researchers known as Project Zero India.
A few hours after the first PoC, another team, TrustedSec, created their own PoC. It should be noted that TrustedSec’s intention was not to make the PoC public but since others did it, they also decided to share it.
“We are only disclosing this due to others publishing the exploit code first. We would have hoped to have had this hidden for a while longer while defenders had appropriate time to patch their systems,” the researchers explained.
We decided not to disclose the sources of the existing CVE-2019-19781 PoC exploits for security reasons.