{"id":17493,"date":"2020-01-21T08:30:08","date_gmt":"2020-01-21T16:30:08","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/01\/21\/news-11228\/"},"modified":"2020-01-21T08:30:08","modified_gmt":"2020-01-21T16:30:08","slug":"news-11228","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/21\/news-11228\/","title":{"rendered":"Don\u2019t worry about CurveBall just yet \u2014 get your Citrix systems patched"},"content":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Tue, 21 Jan 2020 08:03:00 -0800<\/strong><\/p>\n

Hey, admins! It\u2019s been an exciting week, eh?<\/span><\/p>\n

Most of you have been inundated with requests\u00a0\u2014 demands\u00a0\u2014 that you patch all of your systems immediately to protect them from the highly publicized CVE-2020-0601 Crypt32.dll security hole, known as <\/span>\u201cChain Of Fools\u201d or \u201cCurveBall.\u201d\u00a0<\/span><\/a><\/p>\n

While you were scrambling to comply with the NSA\u2019s unique advertising, abetted by almost every security expert on the planet, a funny thing happened. There are no in-the-wild exploits for the ol\u2019 CurveBall. But there are lots and lots of Citrix ADC and Citrix Gateway <\/span>systems under attack<\/span><\/a>, using a security hole announced in December called CVE-2019-19781.\u00a0<\/span><\/p>\n

It\u2019s so bad that <\/span>@Random_Robbie said<\/span><\/a>\u00a0in a tweet early this morning that nearly all of the top malicious scans this morning detected by <\/span>GreyNoise.io<\/span><\/a> are trying to crack into Citrix (formerly NetScaler) Gateway systems.<\/span><\/p>\n

According to <\/span>@0XDUDE Victor Gevers<\/span><\/a>, as of early Monday morning, \u201c14,180 [servers] are still vulnerable. There are sensitive networks unpatched out there. With only a few volunteers we are trying to help (remotely) these organizations that are behind or stuck in the mitigation process.\u201d<\/span><\/p>\n

William Ballenthin and Josh Madeley at <\/span>FireEye have discovered<\/span><\/a> a novel piece of malware called NOTROBIN that takes over compromised Citrix systems then leaves a back door for future exploits:<\/span><\/p>\n

Upon gaining access to a vulnerable NetScaler device, this actor cleans up known malware and deploys NOTROBIN to block subsequent exploitation attempts! But all is not as it seems, as NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye believes that this actor may be quietly collecting access to NetScaler devices for a subsequent campaign.<\/span><\/p>\n

Citrix itself posted some<\/span> manual workarounds<\/span><\/a> on Dec. 19, but it didn\u2019t get around to issuing\u00a0 <\/span>fixes for some of their products<\/span><\/a> until Sunday:<\/span><\/p>\n

Permanent fixes for ADC versions 11.1 and 12.0 are available as downloads <\/span>here <\/span><\/a>and <\/span>here<\/span><\/a>.<\/span><\/p>\n

These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated.<\/span><\/p>\n

It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes.\u00a0<\/span><\/p>\n

If you\u2019re using ADC version 12.1, 13, or 10.5, or the SW-WAN WANOP package, you get to wait until the end of this week.<\/span><\/p>\n

All of this has led the Dutch National Cyber Security Centrum to issue a <\/span>startling recommendation<\/span><\/a>:<\/span><\/p>\n

If you have not applied the mitigating measures of Citrix or only after 9 January 2020, you can reasonably assume that your system has been compromised due to the public exploits becoming known. The NCSC recommends at least drawing up a recovery plan as explained in the section \u201cPossible compromise\u201d in this message.<\/span><\/p>\n

Yes, they\u2019re saying that if you\u2019re running any of the affected Citrix products, and you didn\u2019t apply manual blocks until after Jan. 9, you should assume that your systems are compromised.<\/span><\/p>\n

Meanwhile, poster wruttscheidt on the<\/span> Citrix discussion forums<\/span><\/a> has some pointed (and unanswered) questions for Citrix management.<\/span><\/p>\n

While your users clamored for a fix to a non-existent threat, many of you had your networks pwned.<\/span><\/p>\n

I continue to recommend that you hold off installing the January Patch Tuesday patches. Some problems have cropped up, and it\u2019s still too early to tell if anything major is lurking. Get your Citrix house in order, and wait for this month’s highly publicized patches to ferment.<\/span><\/p>\n

Join us for the straight scoop <\/span><\/i>on AskWoody.com.<\/span><\/i><\/a><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Woody Leonhard| Date: Tue, 21 Jan 2020 08:03:00 -0800<\/strong><\/p>\n

\n
\n

Hey, admins! It\u2019s been an exciting week, eh?<\/span><\/p>\n

Most of you have been inundated with requests\u00a0\u2014 demands\u00a0\u2014 that you patch all of your systems immediately to protect them from the highly publicized CVE-2020-0601 Crypt32.dll security hole, known as <\/span>\u201cChain Of Fools\u201d or \u201cCurveBall.\u201d\u00a0<\/span><\/a><\/p>\n

While you were scrambling to comply with the NSA\u2019s unique advertising, abetted by almost every security expert on the planet, a funny thing happened. There are no in-the-wild exploits for the ol\u2019 CurveBall. But there are lots and lots of Citrix ADC and Citrix Gateway <\/span>systems under attack<\/span><\/a>, using a security hole announced in December called CVE-2019-19781.\u00a0<\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10516,714,10525],"class_list":["post-17493","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-microsoft","tag-security","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17493"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17493\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17493"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}