Vulnerable Citrix Appliances

On December 17, Citrix disclosed a vulnerability in their ADC, Gateway and SD-WAN product lines. Some patches were delivered around January 10, but these patches were not that efficient. A proper patch was not released before January 19 to January 24, depending on the appliance and release train.

Unfortunately, the nature of the vulnerability makes it extremely simple to exploit. That, combined with the fact that these appliances are usually directly connected to the Internet, makes this a serious threat to the overall Internet health. Exploit code has been generally available since about January 11 and there are now multiple, automated scanners deployed that is targeting unpatched appliances. When compromised, the malware is collecting config files and potentially SSL certificates and keys. There has also been attempts at using compromised appliances as stepping stones to move further into the infrastructure.

Basefarm recommend that all such appliances are checked and verified OK as soon as possible. FireEye has released a tool to aid in the verification. This tool can be found on Github. If a box is believed to be compromised, Basefarm recommends that the appliance is disconnected from the Internet immediately and fully replaced with a freshly installed one with all necessary patches in place before the appliance is exposed to the Internet again. All credentials and SSL keys stored on the appliance should be rotated.