This weekend two Proof of Concept exploits were made publicly available, released 23 days after initial discovery, much earlier than the expected 30-90 day disclosure deadline.
Due to this public release of exploits, attackers have added these attacks to their tool kits and they are ramping up quickly. If you use impacted Citrix technologies and have not applied the mitigations yet, you must do so immediately.
Citrix ADC and Gateway of specific versions – detailed below – were found to be vulnerable to a directory traversal in late December 2019 and given a CVE identifier – CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller and Citrix Gateway. This meant that an attacker could potentially run authenticated commands against your Citrix devices due to the directory traversal vulnerability.
There was no exploit available and Citrix had released mitigations for affected versions – Mitigation Steps for CVE-2019-19781 at that point. There were discussions between researchers about the potential of this vulnerability, but no examples were publicly available.
An attacker is able to exploit the Citrix device through a vulnerable path to run any program, gather any data, or run any command on the device. The reliability of this attack will vary depending on what the attacker is attempting to do, e.g., have persistent remote access versus get the contents of your running config.
Scanning and attack traffic associated with this threat has already grown and will continue to do so. This could allow an attacker access to your Citrix environment, to extract your configs with secrets, and run arbitrary code within the device.
If vulnerable, and an attack is detected, you should change secrets and restore from backup previous to the attack. If vulnerable but no attack was detected, you should be safe but must apply mitigations https://support.citrix.com/article/CTX267679.
This attack can be detected through requests as it requires the attacker attempts to access the /vpns/ path on your Citrix device. Any Blumira customers where this path attempt was detected have been notified. However, if Blumira does not have visibility in your Citrix environment you may need to check internal request logs at your Firewalls and at the Citrix device. You can run this command on your Citrix device over SSH to grep your HTTP request logs to determine if requests occurred as well
ssh -t yoursshuser@address 'grep -r "/../vpns/" /var/log/http*'
The following Citrix devices are impacted by this vulnerability and must be mitigated immediately – https://support.citrix.com/article/CTX267679.
Right now Citrix does not have a patch for this vulnerability and only has target dates for it’s release. This is likely a core component to the device which had unforeseen consequences which requires re-engineering forcing a slower release. Blumira will notify affected organizations when the related patch is available for their impacted device.
| Version | Refresh Build | Expected Release Date |
| 10.5 | 10.5.70.x | 31st January 2020 |
| 11.1 | 11.1.63.x | 20th January 2020 |
| 12.0 | 12.0.63.x | 20th January 2020 |
| 12.1 | 12.1.55.x | 27th January 2020 |
| 13.0 | 13.0.47.x | 27th January 2020 |