Written by Sean Lyngaas
It’s been more than two weeks since researchers went public with a critical vulnerability in products made by corporate VPN service provider Citrix that could give a hacker free rein over the many enterprise networks that use the software.
Now, with no sign of a complete patch for the vulnerability, cybersecurity experts are exhorting organizations to address the issue.
“It’s extremely important to apply the mitigation steps and recognize that there is no patch for this,” said Dave Kennedy, founder of cybersecurity company TrustedSec, adding that he has already seen attackers scanning for vulnerable systems.
“We have a working exploit, and it took us under a day to develop it,” Kennedy told CyberScoop. “Attackers have the same capabilities.”
The flaw, discovered by cybersecurity company Positive Technologies, is in a Citrix cloud-based application delivery tool, as well as a product that allows remote access to the company’s applications. Based on the popularity of the software tools, Positive Technologies claimed that the vulnerability could affect tens of thousands of companies. CyberScoop has requested an estimate of the number of devices affected from Citrix.
“Lots of good security architectures appropriately rely on Citrix to reduce the attack surface significantly and now they are at significant risk,” Rob Joyce, a senior official at the National Security Agency, said in a tweet urging users to patch the vulnerability.
The Citrix RCE is a doozie. Lots of good security architectures appropriately rely on Citrix to reduce the attack surface significantly and now they are at significant risk. Get this patched. https://t.co/7B9d7e7YK7
— Rob Joyce (@RGB_Lights) January 10, 2020
The challenge is there isn’t a full-fledged patch for the flaw, only a stop-gap measure, known as a “workaround,” that Citrix provided last month. The company has said it will release a firmware update to fully address the issue, but it is unclear when that will happen. Citrix did not respond to a request for a comment.
Kennedy said that a patch from Citrix could address the full suite of security implications of the vulnerability — rather than just the directory traversal that the workaround addresses.
Meanwhile, researchers like Kennedy have quietly built exploits for the Citrix vulnerability in order to bolster defenses, much like they did for the critical BlueKeep vulnerability in old Windows operating systems that emerged last May.
Security company MDSec on Friday released its own study of the Citrix vulnerability and how it might be exploited.
“Due to the number of devices impacted, MDSec have decided to not provide a ready-made exploit for this vulnerability,” wrote Rio Sherri, a security consultant at the company.
“However, we are aware of multiple actors who have now weaponized this vulnerability and felt it important to share this research so others can take appropriate action,” Sherri added.