Delivering Peace of Mind About New Citrix Emerging Threat

The cyber threat intel feeds are on fire with multiple high-profile vulnerabilities affecting widely deployed networking devices, and security teams are scrambling with task saturation. “What is the biggest risk? Where are we exposed?” The Continuous Attack Surface Testing (CAST) Team at Bishop Fox has been following these stories as they unfold—researching the vulnerabilities, crafting exploits, and most importantly, notifying our clients on their potential exposures.

In this group of vulnerabilities, CITRIX announced 11 CVEs that impact their ADC, Gateway, and SDWAN WANOP products. We quickly identified the highest severity threat, an authentication bypass (CVE-2020-8193). At first, it appears to be a high-risk vulnerability, affecting many organizations, but upon further investigation, our CAST team discovered that an attacker must have access to the NetScaler IP (NSIP) management interface. The NSIP service should never be exposed externally unless there is a misconfiguration issue. Although we ran an on-demand scan to confirm, we knew from our continuous attack surface testing that our clients do not have any publicly exposed NSIP interfaces. If they did, we would have already flagged the issue and helped clients re-configure their application. As a result, we were able to de-escalate the risk for our CAST clients, giving them immediate peace of mind that they weren't at risk from the Citrix vulnerability (CVE-2020-8193).

THE CLIENT EXPERIENCE

In addition to immediately notifying our clients via chat channels, we provided customized reports to each client with an assessment of their exposure, recommendations, and instructions on how to apply the necessary mitigations and patches. With the CAST service, we were quickly able to deliver some peace of mind for our clients about the emerging threat they were hearing about online. Then we went straight back to proactively protect our clients by discovering and analyzing the next panic-inducing CVEs dominating infosec twitter. For those CAST clients that are following the same conversations online, they know they can always flag us instantly in chat to ask us to dig into the latest bug making waves to see if they’re affected and, if so, how to remediate the issue.

Earlier this year, a related, but high-severity Citrix vulnerability hit the news and our CAST team was able to give clients a full month (30 days) to remediate the threat prior to the official release of the patch. Read more about that story here: https://labs.bishopfox.com/industry-blog/staying-ahead-of-emerging-threats

References:

https://dmaasland.github.io/posts/citrix.html, CVE author’s writeup and Proof of Concept (POC)

https://support.citrix.com/article/CTX276688, Citrix Advisory