Citrix vulnerability Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/citrix-vulnerability/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 12 Aug 2020 16:20:40 +0000 en-US hourly 1 https://wordpress.org/?v=92484 200474804 Citrix expects attacks on fresh issues in XenMobile https://gridinsoft.com/blogs/citrix-expects-attacks-on-fresh-issues-in-xenmobile/ https://gridinsoft.com/blogs/citrix-expects-attacks-on-fresh-issues-in-xenmobile/#respond Wed, 12 Aug 2020 16:20:40 +0000 https://blog.gridinsoft.com/?p=4176 Citrix engineers released a number of Citrix Endpoint Management patches this week. Citrix expects attacks on XenMobile Server corporate mobile device management systems. These issues give an attacker the ability to gain administrative privileges on vulnerable systems. The severity of the encountered issues, which received CVE IDs CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212, differs depending… Continue reading Citrix expects attacks on fresh issues in XenMobile

The post Citrix expects attacks on fresh issues in XenMobile appeared first on Gridinsoft Blog.

]]>
Citrix engineers released a number of Citrix Endpoint Management patches this week. Citrix expects attacks on XenMobile Server corporate mobile device management systems. These issues give an attacker the ability to gain administrative privileges on vulnerable systems.

The severity of the encountered issues, which received CVE IDs CVE-2020-8208, CVE-2020-8209, CVE-2020-8210, CVE-2020-8211, and CVE-2020-8212, differs depending on the version of XenMobile used.

Thus, vulnerabilities will be critical for XenMobile versions from 10.12 to RP2, from 10.11 to RP4, from 10.10 to RP6 and all versions up to 10.9 RP5. In turn, for XenMobile versions 10.12 to RP3, 10.11 to RP6, 10.10 to RP6 and up to 10.9 RP5, the threat will be low to medium.

The company’s specialists write that all versions of 10.9.x should be immediately updated (preferably to the latest 10.12 RP3), since some problems can be used remotely and without authentication. Currently, more than 70% of potentially vulnerable customers who were previously notified of problems have already installed the available fixes.

“We recommend updating immediately. Although there are currently no known exploits [for these problems], we expect attackers to use them very soon”, — warns the company.

Let me remind you that Citrix users are quite inert, and after patches from a past dangerous bug, 20% of companies remained vulnerable. You should not expect that some noble hackers will patch your systems for you, although this has already happened.

Although Citrix experts do not disclose the details of the discovered problem, Positive Technologies specialist Andrey Medov discovered the CVE-2020-8209 vulnerability. He said that it belongs to the Path Traversal class and is related to insufficient validation of the input data.

“The exploitation of this vulnerability provides information that can be useful when crossing the perimeter, since the configuration file often stores a domain account for connecting to LDAP”, — says the expert.

A remote attacker can use the received data to authenticate to other external company resources: corporate mail, VPN, web applications. In addition, by reading the configuration file, an attacker can gain access to important data, for example, the password from the database (by default – from the local PostgreSQL, in some cases – from the remote SQL Server).

However, given that the database is located inside the corporate perimeter and cannot be connected to it from the outside, this vector can only be used in complex attacks, for example, with the help of an accomplice within the company.

The post Citrix expects attacks on fresh issues in XenMobile appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/citrix-expects-attacks-on-fresh-issues-in-xenmobile/feed/ 0 4176
Citrix releases new patches, racing with the hackers that install encryptors on vulnerable machines https://gridinsoft.com/blogs/citrix-releases-new-patches-racing-with-the-hackers-that-install-encryptors-on-vulnerable-machines/ https://gridinsoft.com/blogs/citrix-releases-new-patches-racing-with-the-hackers-that-install-encryptors-on-vulnerable-machines/#respond Mon, 27 Jan 2020 18:08:42 +0000 https://blog.gridinsoft.com/?p=3389 Destructive race: Citrix releases new patches, and hackers are actively attacking vulnerable servers and installing encryption engines on them. It seems that users are losing. At the beginning of this year was discovered CVE-2019-19781 vulnerability, which affects a number of versions of Citrix Application Delivery Controller (ADC), Citrix Gateway, as well as two old versions… Continue reading Citrix releases new patches, racing with the hackers that install encryptors on vulnerable machines

The post Citrix releases new patches, racing with the hackers that install encryptors on vulnerable machines appeared first on Gridinsoft Blog.

]]>
Destructive race: Citrix releases new patches, and hackers are actively attacking vulnerable servers and installing encryption engines on them. It seems that users are losing.

At the beginning of this year was discovered CVE-2019-19781 vulnerability, which affects a number of versions of Citrix Application Delivery Controller (ADC), Citrix Gateway, as well as two old versions of Citrix SD-WAN WANOP. As was reported at the beginning of the month, there were exploits for it in the public domain.

After the publication of the exploits, attacks on vulnerable versions of Citrix intensified, just as it was expected, as numerous hackers hope to compromise some important goal that did not have time to upgrade – a corporate network, a state server, or a government agency.

“The main problem was that though more than a month has passed since the vulnerability was discovered, Citrix developers were in no hurry to release the patch”, – IS experts condemn the company.

Firstly, company limited itself to only safety recommendations, explaining to customers how to reduce risks.

There was even an interesting precedent – an unknown hacker used vulnerable methods to patch vulnerable Citrix servers and, according to information security analysts, not because he was Robin Hood, his intentions were dubious.

Citrix developers presented an actual patch only last week, and did not release the final patches untill the last Friday.

Citrix and FireEye experts also provided free solutions to identify compromises and vulnerable systems.

Now FireEye and Under the Breach analysts are warning that cryptographic operators REvil (Sodinokibi) and Ragnarok are actively infecting vulnerable Citrix servers, which are still numerous.

“I examined the files REvil posted from Gedia.com after they refused to pay the ransomware. The interesting thing I discovered is that they obviously hacked Gedia via the Citrix exploit. My bet is that all recent targets were accessed via this exploit. It just goes to show how much impact a single exploit could have. Other files included invoices, data structures and a complete dump of the servers passwords. GDPR will go hard on these guys and this is exactly what REvil wants, the incentive to ransomware is truly alive!”, — writes Under the Breach company representative.

Additionally, according to unconfirmed reports, the creators of the Maze ransomware targeted vulnerable systems.

It is necessary to say that overall the process of installing patches is going well. If in December 2019 the number of vulnerable systems was estimated at 80,000 servers, then in mid-January their number dropped to about 25,000, and last week it fell below 11,000 systems altogether. Specialists from the GDI Foundation closely monitor these statistics.

The post Citrix releases new patches, racing with the hackers that install encryptors on vulnerable machines appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/citrix-releases-new-patches-racing-with-the-hackers-that-install-encryptors-on-vulnerable-machines/feed/ 0 3389