The danger of Shitrix
A vulnerability (CVE-2019-19781, codenamed Shitrix) has been discovered in Citrix Application Delivery Controller and Citrix Gateway, formerly known as Netscaler ADC and NetScaler Gateway. This vulnerability allows a hacker to execute arbitrary code in order to obtain full control over the Citrix ADC and Citrix Gateway systems. Once access to these systems has been obtained, an attacker can use them as steppingstone to attack the internal IT infrastructure of the targeted organization.
The leak affects all recent (major) versions of said products. This vulnerability can be exploited by any attacker having network access to the systems, without the attacker being in possession of valid login credentials. Since many organizations disclose Citrix ADC and Citrix Gateway to the internet directly there is an increased risk of successful attacks, especially since working exploit code has been released to the internet.
Is my system vulnerable?
Tens of thousands of vulnerable servers have been found all over the world. In the Netherlands there are approximately hundreds of companies with vulnerable systems. Do you want to know if your company is in danger? Check if your system is vulnerable via the Python-tool at github.com
How to reduce the risk of a successful attack?
At the time of writing no updates are available to resolve the vulnerability. Citrix expects to release the first updates from January 20th, 2020. More information about the vulnerability and the expected updates can be found at support.citrix.com.
To limit the risk of exploitation, Citrix has published mitigating steps at support.citrix.com. Unfortunately these steps do not appear to be effective enough in all cases. Following the NCSC, Qbit recommends to take offline all Citrix ADC and Citrix Gateway as long as no official patches have been released. As soon as the patches have been released, install them as quickly as possible.