Don’t worry about CurveBall just yet — get your Citrix systems patched
Credit to Author: Woody Leonhard| Date: Tue, 21 Jan 2020 08:03:00 -0800
Hey, admins! It’s been an exciting week, eh?
Most of you have been inundated with requests — demands — that you patch all of your systems immediately to protect them from the highly publicized CVE-2020-0601 Crypt32.dll security hole, known as “Chain Of Fools” or “CurveBall.”
While you were scrambling to comply with the NSA’s unique advertising, abetted by almost every security expert on the planet, a funny thing happened. There are no in-the-wild exploits for the ol’ CurveBall. But there are lots and lots of Citrix ADC and Citrix Gateway systems under attack, using a security hole announced in December called CVE-2019-19781.
It’s so bad that @Random_Robbie said in a tweet early this morning that nearly all of the top malicious scans this morning detected by GreyNoise.io are trying to crack into Citrix (formerly NetScaler) Gateway systems.
According to @0XDUDE Victor Gevers, as of early Monday morning, “14,180 [servers] are still vulnerable. There are sensitive networks unpatched out there. With only a few volunteers we are trying to help (remotely) these organizations that are behind or stuck in the mitigation process.”
William Ballenthin and Josh Madeley at FireEye have discovered a novel piece of malware called NOTROBIN that takes over compromised Citrix systems then leaves a back door for future exploits:
Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign.
Citrix itself posted some manual workarounds on Dec. 19, but it didn’t get around to issuing fixes for some of their products until Sunday:
Permanent fixes for ADC versions 11.1 and 12.0 are available as downloads here and here.
These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated.
It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes.
If you’re using ADC version 12.1, 13, or 10.5, or the SW-WAN WANOP package, you get to wait until the end of this week.
All of this has led the Dutch National Cyber Security Centrum to issue a startling recommendation:
If you have not applied the mitigating measures of Citrix or only after 9 January 2020, you can reasonably assume that your system has been compromised due to the public exploits becoming known. The NCSC recommends at least drawing up a recovery plan as explained in the section “Possible compromise” in this message.
Yes, they’re saying that if you’re running any of the affected Citrix products, and you didn’t apply manual blocks until after Jan. 9, you should assume that your systems are compromised.
Meanwhile, poster wruttscheidt on the Citrix discussion forums has some pointed (and unanswered) questions for Citrix management.
While your users clamored for a fix to a non-existent threat, many of you had your networks pwned.
I continue to recommend that you hold off installing the January Patch Tuesday patches. Some problems have cropped up, and it’s still too early to tell if anything major is lurking. Get your Citrix house in order, and wait for this month’s highly publicized patches to ferment.
Join us for the straight scoop on AskWoody.com.