Hackers are apparently scanning the web for systems affected by the recently disclosed Citrix vulnerabilities, which the vendor suggested are less likely to be exploited.
Citrix informed customers earlier this week that it has patched a total of 11 vulnerabilities affecting its ADC, Gateway, and SD-WAN WANOP networking products. The flaws can be exploited for local privilege escalation, DoS attacks, authorization bypass, code injection, and XSS attacks.
While some of the vulnerabilities can be exploited remotely without authentication, the vendor highlighted that many of them require access to the targeted system, user interaction, or other preconditions, and also pointed out that the latest issues are not related to CVE-2019-19781, a vulnerability that various threat groups have been exploiting since January.
In addition to its advisory, Citrix published a blog post written by its CISO, Fermin J. Serna, to “avoid confusion and limit the potential for misinterpretation in the industry and our customer set.” Serna downplayed the impact of the flaws, suggesting that they are less likely to be exploited compared to CVE-2019-19781.
He also noted that the latest issues are fully addressed by the patches, unlike CVE-2019-19781, for which the company initially released only temporary mitigations due to the high risk of exploitation.
However, Johannes Ullrich, dean of research at the SANS Technology Institute, reported on Thursday that a honeypot set up to capture attacks aimed at F5 Networks’ BIG-IP systems recorded attempts to exploit two of the recent Citrix vulnerabilities.
Ullrich says their honeypot has been hit by attempts to download files and obtain information, which are likely part of scans looking for vulnerable Citrix systems.
The expert said it was unclear which of the 11 CVEs are targeted, but he believes the most likely candidates are CVE-2020-8195 and CVE-2020-8196. Both security holes have been described as information disclosure issues whose exploitation requires authentication on the NSIP, the IP address at which a Citrix ADC appliance can be accessed for management purposes.
CVE-2020-8195 and CVE-2020-8196, along with three other of the 11 vulnerabilities patched by Citrix this week, were reported to the vendor by researcher Donny Maasland, who has published a blog post describing his findings in detail.
While Citrix said it was not disclosing any technical information to prevent exploitation, Maasland disagrees with this approach and he noted that his research targeted the NSIP, which should not be exposed to the internet.
“I firmly believe that when you don’t provide technical details about vulnerabilities you are preventing defensive teams from creating proper detection and mitigation measures against security issues as well as preventing new security analysts and developers from learning from past mistakes. If other people hadn’t created write-ups of the vulnerabilities they found, I wouldn’t have been able to find these results you see here today,” the researcher said.
“Furthermore, you will see that everything I’m disclosing here isn’t exactly rocket science. I’m even willing to bet most of these vulnerabilities have been known to other people for a while now,” he added.