IoC scanner targets critical, unpatched flaw in Citrix Application Delivery Controller (ADC) and Citrix Gateway
Citrix and FireEye Mandiant on Wednesday released a new tool that scans for indicators of compromise (IoCs) related to the recently disclosed directory-traversal vulnerability, designated CVE-2019-19781, in some versions of Citrix Application Delivery Controller (ADC) and Citrix Gateway.
The Lowdown: The release of the tool comes as security researchers report mass scanning for vulnerable hosts and the release of at least two proof-of-concept exploits targeting the flaw. The bug, which was made public late last month, potentially allows unauthenticated remote attackers to run arbitrary code on vulnerable systems.
The Details: The Citrix/FireEye tool is designed to allow customers to run locally against their Citrix instances and receive a quick assessment of potential indications of compromise in their systems based on known attacks and exploits. The free tool is compatible with all supported versions of Citrix ADC and Citrix Gateway, including 11.1, 12.0, 12.1, 10.5, and 13.0, and Citrix SD-WAN WANOP versions 10.2.6 and 11.0.3.
In addition to applying previously released mitigation steps and installing permanent updates that began rolling out earlier this week, Citrix and FireEye strongly recommend all Citrix customers run the new tool as soon as possible to gauge security posture and to take defensive action if necessary.
Patches for all affected systems are due for release by the end of this week, officials said.
The Buzz: “As we worked closely with various Citrix customers in their response to CVE-2019-19781, we developed an understanding of the active threats related to this vulnerability,” said Charles Carmakal, Chief Technology Officer of FireEye Mandiant. “We believe it is in the best interest of Citrix customers using affected product versions and the entire security community for us to join forces with Citrix to offer a free tool that organizations can rapidly deploy in their own environments to identify potential indicators of compromise of their systems.”
“While our security and engineering teams have been working around the clock to develop, test, and deliver permanent fixes to CVE-2019-19781, we have been actively thinking of ways to assist our customers in understanding if and how their systems may have been affected,” said Fermin J. Serna, Citrix’s Chief Information Security Officer. “We partnered with FireEye Mandiant … to develop a tool that leverages their knowledge of recent attacks against CVE-2019-19781 to help organizations identify potential compromises.”