Hackers Actively Scanning & Constantly Attempt To Exploit Citrix ADC Vulnerabilities

Recently, the Citrix published a set of 11 vulnerabilities in its most popular products that includes Citrix ADC as well, new research found that the hackers are constantly attempting several ways to exploit all these Citrix ADC vulnerabilities.

Out Of the 11 vulnerabilities, there are six possible attacks routes; five of those have barriers to exploitation.

This exploit was a high-risk vulnerability in Citrix ADC devices that allows unauthenticated remote code execution by the remote attackers. Moreover, this vulnerability was discovered in December 2019.

The vulnerabilities attack various Citrix products over the company’s line and range from a comparatively low-risk social elevation of the right defect to more severe code injection and also the cross-site scripting flaws. 

But, the Citrix has plenty of mitigating factors for different kinds of vulnerabilities that make all the possible exploitation more complex. 

Total Number of CVEs

According to the security experts, it is not clear specifically that which CVE was allocated to which vulnerability, but the probable applicants are:-

• CVE-2020-8191
• CVE-2020-8193
• CVE-2020-8194
• CVE-2020-8195
• CVE-2020-8196

Affected Products

In total there are 11 products that were affected by this vulnerability, and here they are mentioned below:-

• Citrix ADC, Citrix Gateway-Information disclosure
• Citrix ADC, Citrix Gateway 12.0 and 11.1 only-Denial of service
• Citrix ADC, Citrix Gateway-Local elevation of privileges
• Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP-Reflected Cross-Site Scripting (XSS)
• Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP-Authorization bypass
• Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP-Code Injection
• Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP-Information disclosure
• Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP-Information disclosure
• Citrix ADC, Citrix Gateway-Elevation of privileges
• Citrix ADC, Citrix Gateway, Citrix SDWAN WANOP-Stored Cross-Site Scripting (XSS)
• Citrix Gateway Plug-in for Linux-Local elevation of privileges

Affected IPs

The first issue was marked as the most severe one, which allows the attacker to download the malicious files in the affected systems. Currently, the IP address, 13.232.154.46, is exploited by hackers to execute this malicious event. 

Apart from this, in total there are 16 IP addresses that got affected in this vulnerability, and all these IPs belongs to “hostwindsdns{.}com”:-

• 23.254.164.181
• 23.254.164.48
• 43.245.160.163
• 104.168.166.234
• 104.168.194.148
• 142.11.213.254
• 142.11.227.204
• 192.119.73.107
• 192.119.73.108
• 192.236.162.232
• 192.236.163.117
• 192.236.163.119
• 192.236.192.119
• 192.236.192.3
• 192.236.192.5
• 192.236.192.6

There are three of the six potential attacks in CTX276688 that happen in the administration interface of a vulnerable device. Here, the systems expanded in line along with Citrix support, which will now have this interface isolated from the network and will be guarded by a firewall. 

This kind of configuration considerably reduces the risk. Still, Citrix are not publishing most of the technical specifications of the vulnerabilities or patches to limit possible exploitation by the threat actors, who control patch releases for all new targets.

Citrix recommended customers on Citrix SD-WAN WANOP should also pay heed to the advisory just released as ADC is a component within the SD-WAN WANOP deployment. Fixes are available here.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Also Read:

100,000 WordPress Sites Impacted with Cross-Site Scripting(XSS) Flaw

Zoom 0day Vulnerability Let Remote Attacker to Execute Arbitrary Code on Victim’s Computer