Recently Browsing 0 members
No registered users viewing this page.
Members online now
No members to show
By Kevin Beaumont
The boilerplate description
"A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution."
What it means in practice
Unauthenticated remote code execution on internet connected Citrix Gateway devices = bad.
Are attackers actually exploiting this vulnerability?
Yes, at scale, against targeted and untargeted assets.
Lame stuff like coin miners, but also devices getting backdoored, and people trying to use this to deploy ransomware inside Windows orgs behind the Citrix boxes.
Vendor advisory and patches
Checking if your device has already been exploited
Check out this tool, which is getting frequent updates: https://github.com/fireeye/ioc-scanner-CVE-2019-19781/tree/v1.2
Scale of the issue
Somewhere in the region of ~100k devices were exploitable with this back in December. After have a huge awareness campaign via all sorts of orgs, this one is about ~10k unpatched devices at present. Those orgs are still in serious danger of exploitation.
If you patched late
You want to run the FireEye tool linked above to look for exploitation, as attackers may have backdoored your device.
I just applied the mitigations
You should also apply the patch, as it hardens the setup - just the mitigations alone present some issues.
By Tim Corless
Came across this on my travels: https://portswigger.net/daily-swig/webmin-backdoor-blamed-on-software-supply-chain-breach
Webmin software was backdoored for over a year. If you're using one of those vulnerable versions, update now!
According to shodan and some google dorks, there are quite a lot still vulnerable
By Kevin Beaumont
CVE-2019-11510, impacting Pulse Secure SSL VPN, is being exploited in the wild.
I've seen it being exploited today, a few hours ago for first time, via BinaryEdge.
24th April 2019 - Vendor advisory.
14th August 2019 - TLP Rainbow post.
20th August 2019 - exploit posted publicly.
22nd August 2019 - exploitation in wild.
Pulse Secure is one of the "Zero Trust" secure SSL VPN systems where you get pwned by 1996 ../../ exploits.