Over 25,000 Citrix (NetScaler) endpoints vulnerable to CVE-2019-19781

On Friday, January 10, 2020, our honeypots detected opportunistic mass scanning activity originating from a host in Germany targeting Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers vulnerable to CVE-2019-19781. This critical vulnerability allows unauthenticated remote attackers to execute commands on the targeted server after chaining an arbitrary file read/write (directory traversal) flaw.

The activity detected from attempted to download the “smb.conf” file. This configuration file doesn’t appear to contain highly sensitive information by default, however a successful response to the scan will indicate the targeted server is vulnerable to further attacks.

On Sunday, January 12, 2020, our honeypots detected multiple CVE-2019-19781 exploit attempts from a host in Poland. This differed from the previous scanning activity as it conducted the actual remote code execution exploit and targeted ports 443, 2083, 2087, and 8443/tcp.

Given the ongoing scanning activity detected by security researcher Kevin Beaumont and SANS ISC since January 8, 2020 – it’s likely attackers have enumerated all publicly accessible Citrix ADC and Citrix (NetScaler) Gateway endpoints vulnerable to CVE-2019-19781.

How many hosts are vulnerable to CVE-2019-19781?

Using data provided by BinaryEdge, we scanned over 60,000 Citrix endpoints to determine which were vulnerable. On Saturday, January 11, 2020, our scans found a total of 25,121 unique IPv4 hosts worldwide vulnerable to CVE-2019-19781. Of these results, we cataloged 18,155 SSL certificates with unique domain names.

No sensitive information was disclosed or recorded during our scans as we only sent a HTTP HEAD request to confirm the vulnerability.

Where are the vulnerable servers located?

Vulnerable hosts were found in 122 countries around the world.

Hosts vulnerable to CVE-2019-19781 by country

This interactive map shows the total vulnerable hosts found per country. Overall, the most vulnerable Citrix endpoints were located in the United States.

What type of organizations are affected by CVE-2019-19781?

4,576 unique autonomous systems (network providers) were found to have vulnerable Citrix endpoints on their network. We’ve discovered this vulnerability currently affects:

  • Military, federal, state, and city government agencies
  • Public universities and schools
  • Hospitals and healthcare providers
  • Electric utilities and cooperatives
  • Major financial and banking institutions
  • Numerous Fortune 500 companies

How is CVE-2019-19781 exploited and what is the risk?

This critical vulnerability is easy for attackers to exploit using publicly available proof-of-concept code. Various methods demonstrating how to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India and TrustedSec. A forensic guide is available detailing how to check Citrix servers for evidence of a compromise.

Further exploitation of this vulnerability could be used to spread ransomware (similar to CVE-2019-11510) and cryptocurrency mining malware on sensitive networks. If multiple servers are compromised by the same threat actor, they could be weaponized for coordinated malicious activity such as DDoS attacks.

Closing Remarks

Organizations using vulnerable Citrix ADC and Citrix (NetScaler) Gateway servers should immediately follow the recommended mitigations steps or upgrade to fixed versions prevent compromise. As of January 24, 2020, Citrix has released firmware updates for all products affected by CVE-2019-19781. Given the criticality (CVSS score: 9.8) coupled with the risk of unauthorized access to private networks, there’s little time to take action before threat actors exploit vulnerable servers further. Multiple open source tools are available to locate IOCs and other artifacts left over from exploit activity. CISA has provided procedures and tools for detecting a CVE-2019-19781 compromise.

How to obtain our CVE-2019-19781 report

Due to the sensitive nature of this vulnerability, the affected Citrix endpoints detected by our scans will not be shared publicly. However, the list is freely available for authorized government CERT, CSIRT, ISAC, and law enforcement teams to review. FIRST Team membership is preferred, but not required.

A feed of hosts conducting CVE-2019-19781 related scans and exploit activity is available for our Research and Enterprise CTI customers. Commercial licenses are also available for our vulnerability data, please contact us for more information.

We’ve shared our findings directly with US-CERT (CISA/DHS) and other U.S. federal law enforcement agencies for further investigation and remediation. Additionally, we notified these organizations: ACSC, aeCERT, Amazon SIRT, AusCERT, CareCERT, CCCS, CCN-CERT, CERT Nazionale Italia, CERT NZ, CERT Orange Cyberdefense, CERT POLSKA, CERT.at, CERT.be, CERT.br, CERT-EE, CERT.hr, CERT.LV, CERT.PT, CERT/CC, CERT-Bund, CERT-FR (ANSSI), CERTGOVIL, CERT-In, CERT-MX, CERT-SE, CFCS-DK, CIRCL.LU, CNCERT/CC, colCERT, CSIRT BNP Paribas, CSIRT-DSP, Deutsche Telekom CERT, DKCERT, ECS-CSIRT, E-ISAC, FSA SOC (ed.gov), FS-ISAC, GovCERT.ch, GovCERT.CZ, GovCERT.HK, GOVCERT.LU, H-ISAC, HKCERT, ICIC-CERT, INCIBE-CERT, IRISS-CERT, JPCERT/CC, KN-CERT, KPN-CERT, Legal-ISAC (NL), MSCERT (MSRC), MS-ISAC, MyCERT, NCIIPC, NCIS (DoD), NCSC, NCSC-FI, NCSC-IE, NCSC-NL, NCSC-NZ, NorCER, NTT-CERT, Q-CERT, REN-ISAC, RT CERT, RU-CERT, SANReN CSIRT, Saudi CERT, SingCERT, SUNet CERT, ThaiCERT, TTCSIRT, TWCERT/CC, TWNCERT, VECIRT, WFC SOC, YOROI-CSDC, and Z-CERT.

This list will be updated frequently as notifications are still ongoing by Bad Packets.

Follow-up CVE-2019-19781 Scans

January 31, 2020 scan results: 7,133 vulnerable Citrix servers detected worldwide

February 14, 2020 scan results: 5,915 vulnerable Citrix servers detected worldwide

6 thoughts on “Over 25,000 Citrix (NetScaler) endpoints vulnerable to CVE-2019-19781”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.