A recently identified vulnerability in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway allows, if exploited, an unauthenticated attacker to perform arbitrary code execution. The vulnerability has been assigned the CVE number: CVE-2019-19781. It is estimated that about 80K organizations are impacted.
There is no patch available yet, but Citrix published recommended mitigations. For Silverfort customers, we recommend the following additional precautionary measures on top of the ones recommended by Citrix, to ensure that an already compromised device is not used for unauthorized access.
Here are the recommended mitigation steps for Citrix ADC or Citrix Gateway users:
- Subscribe to the Citrix alerts so you will know when the fixed firmware is released: https://support.citrix.com/user/alerts
- Perform the mitigation steps recommended by Citrix as described here: https://support.citrix.com/article/CTX267679
- Protect access to systems and applications accessible from your Citrix device with MFA: In addition to the steps recommended by Citrix, we recommend enforcing MFA to secure the authentication of users before granting them access to sensitive resources. Citrix enables you to enforce MFA on access through its devices to target systems. However, that solution isn’t enough: If a hacker already exploited the vulnerability and compromised the Citrix device, MFA will not be enforced on access by code running on the compromised Citrix device. In this case Silverfort can still enforce secure authentication whether the access originates from the compromised device or from a legitimate user.
- Monitor authentication activity and look for anomalies: Anomalies in authentication traffic originating from the Citrix device and authentication traffic targeting the systems that are accessible from the Citrix device should be seen in logs and should require further investigation. Silverfort’s AI-driven Risk engine can automatically identify these anomalies, and enforce a policy to alert in real time or block access.
Things to look out for include:
– High risk authentication
– Unusually high load of authentication
– Failed authentications
– Authentication originating from the Citrix Gateway, which does not normally originate from there. For example, watch for file shares access (cifs Kerberos tickets) and RDP access (termsrv Kerberos tickets).
– Authentication originating from the Citrix Gateway that is not directed to Citrix protected applications.
It’s important to remember that threats exist within our networks, not just outside it. We must consider the fact that adversaries may have already penetrated our networks and gained a foothold that enables further lateral movement and access to sensitive resources. In order to ensure authorized access to our systems we must validate the identity and enforce secure authentication on access from those already inside our networks, just as we require secure authentication to validate the identities of those coming from outside our networks through a VPN or other gateways.