Threat actors are actively scanning the web in search of systems impacted by the recently disclosed Citrix vulnerabilities.
Last week, Citrix released security updates to address a set of 11 vulnerabilities affecting its Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP (appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO) networking products. One of the flaws (CVE-2020-8194) could be exploited for remote code execution, while others could result in information disclosure or could allow a remote user to escalate privileges on the system.
While some of the patched flaws can be exploited remotely without authentication, Citrix CISO, Fermin J. Serna explained in a blog post that many of them have “barriers to exploitation” such as requiring the attackers have access to the targeted system, user interaction, and other preconditions. Serna also pointed out that for this reason the flaws are less likely to be exploited compared to CVE-2019-19781, a vulnerability that various hacker groups have been actively exploiting since the start of this year.
However, Johannes Ullrich, the head of research at the SANS Technology Institute said he detected attacks on one of the honeypots set up to capture attacks attempting to exploit the recently disclosed flaw in the F5 Networks’ BIG-IP systems was targeted by attackers attempting to exploit two of the recent Citrix vulnerabilities.
“As of today, my F5 honeypot is getting hit by attempts to exploit two of the Citrix vulnerabilities disclosed this week. Details with proof of concept code snippets were released yesterday,” the researcher said.
“It is not clear exactly which CVE was assigned to which vulnerability, but the possible candidates are CVE-2020-8195, CVE-2020-81960.”
Both vulnerabilities have been described as information disclosure issues whose exploitation requires authentication on the NSIP, the IP address at which a Citrix ADC appliance can be accessed for management purposes.
“The vulnerability isn't all that "bad." It is not allowing access to anything else. But it could very well be used to identify unpatched devices,” Ullrich pointed out.