Remote-access Guide

citrix remote access vulnerabilities

by Alexandra Daniel I Published 3 years ago Updated 2 years ago
image

Digital workspace and enterprise networks vendor Citrix has announced a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway. If exploited, it could allow unauthenticated attackers to gain remote access to a company’s local network and carry out arbitrary code execution.

Vulnerabilities have been identified in Citrix Workspace app and Citrix Receiver for Windows that could result in a local user escalating their privilege level to administrator during the uninstallation process. The issues have the following identifiers: CVE-2020-13884. CVE-2020-13885.

Full Answer

What is the Citrix gateway vulnerability?

On January 19, Citrix released some permanent fixes to a vulnerability on the company's Citrix Application Delivery Controller (ADC) and Citrix Gateway virtual private network servers that allowed an attacker to remotely execute code on the gateway without needing a login.

What is the Citrix ADC vulnerability?

Description of Problem A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

What is the CVE number for the Citrix SD-WAN Wan vulnerability?

The vulnerability has been assigned the following CVE number: • CVE-2019-19781 : Vulnerability in Citrix Application Delivery Controller, Citrix Gateway and Citrix SD-WAN WANOP appliance leading to arbitrary code execution The vulnerability affects the following supported product versions on all supported platforms:

What is Citrix secure Internet access?

Citrix Secure Internet Access works within a secure access service edge (SASE) architecture to protect users and the corporate network itself from threats such as malware, phishing, and ransomware.

image

Is Citrix remote desktop secure?

Citrix ADC is a secure and unified front-end for all applications that provides administrators granular application and device-level control, while enabling users to single sign-on across all applications from one URL, and giving them access to these applications from anywhere, and by using any device.

Why is Citrix so unreliable?

The main problem with Citrix is its overly complex architecture and licensing structure. A typical Citrix infrastructure has too many components and interdependencies.

Are Citrix connections encrypted?

Citrix DaaS handles four types of credentials: User Credentials: When using a customer-managed StoreFront, the Cloud Connector encrypts user credentials using AES-256 encryption and a random one-time key generated for each launch.

What is the difference between Citrix Receiver and Citrix workspace?

Citrix Workspace app is a new client from Citrix that works similar to Citrix Receiver and is fully backward-compatible with your organization's Citrix infrastructure. Citrix Workspace app provides the full capabilities of Citrix Receiver, as well as new capabilities based on your organization's Citrix deployment.

Is Citrix reliable?

Citrix Workspace is an excellent software for accessing work files from home, but it has some hurdles to overcome while setting up. Citrix Workspace allows me to login and access my files at work from home. It is very effective after getting it setup. Easy to use once set up.

Is Citrix any good?

Citrix when paired with two stage security is one of the best software suites on the market." "The web interface is easy to access and easy to use."

Is Citrix safe on public WiFi?

Avoid Sensitive Websites If your on a public WiFi and aren't connected through a secure connection (Citrix, VPN), your safest bet is to not log into sensitive sites like a bank account for example. Wait until you get back home or the office network, or any secured network that you trust.

Is Citrix a VPN connection?

Citrix Workspace provides a cloud- based, VPN-less solution to access all intranet web, SaaS, mobile, and virtual applications—whether using managed, unmanaged, or bring-your-own devices (BYOD) over any network.

What is Citrix encryption?

Citrix Files Encrypted Email allows you to encrypt the body of your message to your recipient, along with any attachments, with industry-standard AES 256 bit encryption.

What is Citrix Receiver now called?

The aim is to make the solutions an easier and more flexible experience for customers and to simplify the way users and potential users view the products....Citrix Workspace Products.Previously Named:New Name:Xen DesktopCitrix Virtual DesktopsCitrix ReceiverCitrix Workspace App5 more rows•Jul 10, 2018

Why do companies use Citrix?

Citrix Workspace ensures that users have a great experience and can be productive independent of device, location or application used. Citrix Workspace ensures corporate data is safe and malicious activities are spotted quickly. Citrix Workspace ensures admins can manage and support the digital workspace efficiently.

Is Citrix still relevant?

“We have completely transitioned from Citrix to an online workspace with SaaS solutions. This brings a drastic reduction in costs for licenses, maintenance and management. Now everyone can work from any device, this was not possible before.”

Why does Citrix lag?

When 'Citrix is slow' means in-session performance issues, these issues are caused by network issues, server resource issues, or end-user behavior.

How do I improve my Citrix connection?

Make sure the File Servers, Print Servers and user profiles are in the same subnet as the Citrix servers, especially when using profile redirection settings. Reduce the logon time to be as fast as can be because the servers is under its greatest load during logon\logoff.

How do I reduce latency in Citrix?

Latency can be minimized by reducing the amount of data that needs to be sent over the network to update the user's screen. Compression and caching enable smaller, less expensive network pipes to be used.

How much speed is required for Citrix?

Citrix recommends that the host computer have at least 4 GB of RAM and four virtual CPUs with a clock speed of 2.3 GHz or higher.

Why is remote access important?

An access control solution that employees and stakeholders can use safely will simplify operations and increase productivity. Ensure employees have seamless access to the applications and resources they need even when they move across devices, and improve efficiency with the flexibility to store and access data securely.

What is contextual network security?

A contextual network security solution can provide zero-trust functionality while enabling BYOD policies. With an on-premises connector, you can have a single control channel to the company’s environment. Your employees can connect to business web apps without the need for a VPN, improving security and user experience.

What are some of the biggest workspace security challenges?

Companies face many data security risks when it comes to threat detection and prevention. For example:

What is workspace security?

Workspace security refers to the application of tools and solutions to protect sensitive data, networks, and access in digital workspaces without disrupting the user experience.

Why do companies need to have secure access to data?

With the increase of hybrid workforces, both remote and in-house employees need easy and secure access to applications and data. Companies cannot risk their data over dispersed devices without a central security system.

Is remote work here to stay?

Remote Work Is Here to Stay. After the COVID-19 pandemic, workers did not return to the office as quickly as expected and many businesses began moving to flexible schedules. These transitions to a hybrid workforce resulted in an increased attack surface as employees began to access company resources from more locations and on more devices.

Is there a lack of data protection against attacks at the API level?

A lack of data protection against attacks at the API level is concerning. On-premises security solutions have limited scalability, so they cannot protect against large-scale attacks. For instance, a volumetric DDoS attack can overwhelm an on-premises solution that may not stop it before it enters the network.

What is Citrix ADM?

With Citrix ADM, you can see your entire hybrid or multi-cloud environment in one view, which allows you to focus on specific details of your ADC infrastructure such as application performance, health, and security.

What is Citrix application delivery?

Citrix application delivery and security is designed to provide comprehensive enterprise application security and deliver a top-line user experience for apps running on any infrastructure. Centered around a robust application delivery controller (ADC), our platform uses AI and machine learning capabilities to provide a consistent security posture against application security threats, both known and unknown. With our single-vendor enterprise application security solution, all application types can be monitored and controlled using a single pane of glass with end-to-end visibility, no matter where they are deployed.

What is application security?

Application security is the practice of deploying security tools, processes, and best practices throughout the entire application lifecycle to safeguard enterprise applications and APIs from internal or external attacks, privilege abuse, or data theft. As apps and APIs contain valuable data, cyber criminals are more motivated than ever to source and exploit their vulnerabilities to steal sensitive information or intellectual property.

What is bot attack?

Bot attacks use automated web requests to manipulate or disrupt an application or API. Common bot attacks include web content scraping, account takeover (ATO), form submission abuse, and API abuse.

What is monitoring end user activity?

Monitoring end user activity: Keep track of the actions your end users take while using your applications, accessing data, or connecting to unsanctioned networks.

What is authorization management?

Authorization management: Check the application for access levels and what a user has access to, and what actions they can perform. Also conduct tests that simulate attacks like path traversal against the web servers that aim to access files and directories that are stored outside of root folders, as well as tests against attacks that exploit direct object references, etc.

What is the threat landscape of an application?

The application threat landscape is vast, which means your organization must mitigate security risks throughout the entire application lifecycle. The Open Web Application Security Project® (OWASP), in its bid to help businesses reduce their security exposure, has compiled a list of the top 10 critical security risks for applications your organization should be prepared for, including the following types of attacks:

When was the Citrix attack?

The cyber attack occurred on January 11, 2020 and was not discovered by the security team until January 28 (though it appears that the automated firewall blocked communications with the attacker’s command and control servers on January 13). The initial public disclosure of the Citrix vulnerability (labeled as “CVE-2019-19781”) was on December 17 2019, at which time Citrix Systems issued mitigations to address the issue and alerted customers. Additionally, the National Institute of Standards and Technology (NIST) issued a warning about the Citrix vulnerability on December 31 and marked it as having a “critical” severity rating. The first proof-of-concept exploit code was published on Github just one day before the cyber attack on the Census Bureau servers.

Did Citrix hacking access the 2020 census?

The Census Bureau says that the attackers did not access any 2020 census information; census takers generally begin going out as the winter season calms down in April. The Citrix vulnerability opened a path for the attackers to remotely execute malicious code, but the government report indicates that they were only able to breach the internal network used to manage the agency’s remote workers before the backdoor was discovered and removed.

Did the Bureau of Investigation stop the Citrix attack?

While the Bureau did ultimately stop the cyber attack without any known damage, even if it was done inadvertently by automated security tools, the follow-up investigation revealed a worrying amount of endemic weaknesses just waiting to be exploited by an opening such as the Citrix vulnerability.

Hundreds of US government agencies have vulnerable VPNs, data shows

On January 19, Citrix released some permanent fixes to a vulnerability on the company's Citrix Application Delivery Controller (ADC) and Citrix Gateway virtual private network servers that allowed an attacker to remotely execute code on the gateway without needing a login.

Lots to patch

That makes for lots of work over the next few weeks for Citrix customers, which include thousands of government agencies, educational institutions, hospitals, and major corporations worldwide.

Why is directory traversal vulnerable?

This directory traversal vulnerability is caused by improper handling of the pathname. The system doesn't have a data sanitation check and uses the path in incoming requests directly. When the vulnerable system receives a request containing a path like /vpn/../vpns/services.html, the Apache server running in the Citrix products transforms the path from /vpn/../vpns/ into simply /vpns/. This vulnerability in the Apache system could allow remote attackers to exploit directory traversal requests and access sensitive files without the need for user authentication.

What is the vulnerability score for CVE 2019-19781?

This vulnerability is tracked using CVE-2019-19781 and comes with a 9.8 critical CVSS v3.1 base score. Unit 42 researchers found scanning activities in the wild which leverages this vulnerability and have identified additional Indicators of Compromise since this vulnerability was initially disclosed on January 10. Palo Alto Networks released protection for our customers on January 7, 2020 through Threat Prevention Signatures 57497, 57570.

Is Unit 42 exploited?

This vulnerability has wide exposure in customer environments around the world and is wildly being exploited according to Unit 42 and other security research organizations. Unfortunately, It is also easily exploited and leads to remote code execution.

Can directory traversal be used without authentication?

In other situations, it could be more severe. The directory traversal can be applied to a user input without authentication and sanitation. From which, the attacker can make a crafted XML file in the vulnerable server using a POST request. Afterward, when the attacker makes another HTTP request to visit the rendered file, the malicious code inside the XML file can be executed.

Penetration testing Citrix and RDP-based remote access systems

In this section, we will take a look at performing penetration testing on two popular remote access systems in most IT environments: Citrix and Microsoft's Remote Desktop Protocol ( RDP ).

Citrix penetration testing

Most of us have probably heard about Microsoft's RDP, which allows a user to remotely access another Windows machine across a network within a graphical user interface ( GUI ). Citrix is like RDP, but a lot better in terms of performance while providing an interactive user interface.

How many Citrix ADC nodes are there?

Rapid7 researchers also routinely monitor exposure across the global public internet through Project Sonar. We've found over 57,000 Citrix ADC nodes on the public internet, depicted on the graph below:

What is a directory traversal vulnerability?

17, 2019, a directory traversal vulnerability was announced in the Citrix Application Discovery Controller and Citrix Gateway, which would allow a remote, unauthenticated user to write a file to a location on disk. Affected products include:

Is Rapid7 a vulnerability?

Rapid7 researchers rate this vulnerability as being high-value for attackers. It is trivial to exploit and known to be actively exploited in the wild. Security community researchers have previously noted opportunistic scanning and exploitation; Rapid7 researchers and external researchers have also noted that Citrix NetScaler AMIs on AWS Cloud are vulnerable by default out of the box (as of Jan. 12).

Does Citrix ADC 12.1 have a bug?

The firmware bug affects Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31. Citrix advises customers to update to an unaffected build and then ensure the mitigation is applied.

Is there a window in which vulnerable targets were available to attackers that exploitation was possible and is probable?

There was a sufficient window in which vulnerable targets were available to attackers that exploitation was possible and is probable, even when targets had mitigations applied. Rapid7 customers who use Citrix ADC in their environment should audit them for signs of exploitation, or consult the Rapid7 Managed Services team for advice, even if they have been patched or have applied the mitigation.

Does Rapid7 see trace levels of probes for vulnerable systems?

Rapid7 Labs continues to see trace levels of probes for vulnerable systems in Project Heisenberg, so if you're in the "Likely Still Vulnerable" bucket, you should inspect your exposed systems, go the extra mile and re-image them (once you've collected any forensic evidence), and ensure you're working with the latest supported version from Citrix.

Does Insightidr work with Citrix?

InsightIDR does have an integration with Citrix Netscaler, you can find the documentation here: https://insightidr.help.rap...

image
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9