At this point you’ve certainly seen endless numbers of articles and posts about the critical security flaws in Citrix’s Appliance Delivery Controller and Gateway products. The flaw - CVE-2019-19781 - is a vulnerability that allows an attacker to run a command on your system or read files on your server. There have already been a few proof of concept exploits released by researchers.
There has been quite a bit of noise about the lack of patches for these issues from Citrix, as well as the complexity of the suggested mitigation techniques organizations should utilize in the interim. SearchSecurity recently reported that one of the security researchers who identified the initial attempts to attack the Citrix flaws, Johannes Ullrich of the SANS Internet Storm Center, believes that the code issues could have stemmed from Citrix’s NetScaler acquisition back in 2005:
"The code appears to have never undergone any real code review and the flaws are significant and should be easy to spot if anybody with even a modest application security background would have reviewed the code," Ullrich told SearchSecurity. "I can only hope that they used the additional time for a code review and maybe they will not just fix the vulnerabilities pointed out by Positive Technologies, but they will also update some of the outdated vulnerable components that are included in their software and squash a few additional security issues that haven't been made public yet."
The good(ish) news is that the first round of patches is expected to be introduced on January 20th, with the remaining patches being delivered through the end of January. But this situation presents an opportunity to reflect on the broader issues at play here.
And at the end of the day, complexity is the enemy of security. In a world that is moving/has moved to the cloud, does it still make sense to utilize legacy pre-cloud products that require significant infrastructure and management? For many organizations, virtual desktop infrastructure (VDI) creates an entirely new subset of IT infrastructure that has to be licensed, administered and maintained. This complexity can rapidly become expensive and resource intensive, which can lead to security issues.
But as we look at the volumes of proposed solutions that have been the industry’s natural reaction to the lack of patches, there is a definitive theme:
When dealing with a complex environment that is hard to manage and introduces security challenges, the last thing you want to do is increase your attack surface. Yet the industry seems to be suggesting an endless stream of “solutions” that layer on additional complexity with other third-party security solutions.
But consider a different approach. What if rather than doubling down on expensive, complex, and insecure legacy VDI products you could instead replace those with solutions that were actually built for the cloud. Solutions that can dramatically reduce complexity, eliminate the management and security headaches, and cut costs at the same time.
Take virtual application delivery platforms, for example. Whereas many organizations rely on costly and complex VDI solutions to provide their users with access to business-critical Windows applications, virtual application delivery platforms like Cameyo enable you to deliver any Windows app to any device, from the browser, at a fraction of the cost of VDI - without the security concerns of patching and managing legacy infrastructure. And because Cameyo is a truly built-for-the-cloud service that works in any environment - cloud, on-premises, or hybrid - you can get started today and deliver your apps to your users within hours or days.
So whether you’re at the end of your rope with Citrix security issues, or if the overall cost and complexity of VDI is driving you crazy, consider cloud-native virtual application delivery solutions as an alternative.
UPDATE: Monday, 1/20/20 - Per ZDNet, FireEye has identified a hacker that is "patching" Citrix servers to gain exclusive access, and they believe this person to be a bad actor. The ZDNet article goes on to talk more about what we discussed above regarding the fact that Citrix provides hackers a "giant attack surface to go after."
The article also discusses how Citrix was caught unprepared without a patch for customers, making this situation even worse"
"Instead, Citrix published mitigation advice that Citrix appliance owners could apply and secure their servers. Unfortunately, this mitigation advice did not work as intended for all Citrix versions, some of which remained vulnerable to attacks."
In fact, the situation has become so dire that some governments are now telling people to turn off Citrix in their environments:
"Yesterday, the Dutch national cyber-security agency (NCSC) began advising companies and government agencies that run Citrix ADC or NetScaler Gateway servers to turn off systems until an official patch was ready, citing the "uncertainty about the effectiveness of the mitigation measures.""
We'll continue to update this post as things evolve.
UPDATE: Friday, 1/24/20 - After releasing the first patches earlier this week (for certain versions of ADC and NetSclaer), Citrix has now released patches for SD-WANOP, which are available on the Citrix support site.
Citrix's CISO, Fermin Serna, confirms that all customers must upgrade all Citrix SD-WAN WANOP versions to build 10.2.6b or 11.0.3b. The new patches are applicable to SD-WAN 4000-WO, 5000-WO, 4100-WO, and 5100-WO platforms.
UPDATE: Monday, 2/17/20 - ZDNet is reporting that a new report (from ClearSky Research - available here) reveals that Iranian hacking units have spent the past year exploiting VPN bugs as soon as they became public. Doing so may have enabled them to infiltrate and plant backdoors in companies all over the world. According to the report, these hackers have targeted vulnerabilities in VPN servers from Pulse Secure, Palo Alto Networks, Fortinet, and Citrix.
UPDATE: Friday, 2/21/20 - Brian Krebs of KrebsonSecurity.com has reported that hackers were inside of Citrix's network for five months between Oct. 13, 2018 and Mar. 8, 2019. Citrix released a statement saying it appeared hackers “may have accessed and downloaded business documents,” and that it was still working to identify what precisely was accessed or stolen.