When researchers post newly-discovered exploits, we often wonder how long it will take for a theoretical exploit to actively manifest in malware.
Unfortunately, sometimes the flaw is so severe in its consequences, action needs to be taken immediately.
Vulnerability CVE-2019-19781 in several Citrix devices is one such flaw. Project Zero India first disclosed the flaw on Dec. 17, 2019, and posted the proof of concept in mid-January.
Citrix confirmed that the critical vulnerability exists, and that exploits have already been observed. Unfortunately, the company will not have patches available for all products until the end of January.
Owners of Citrix Application Delivery Controller (ADC), Citrix SDWAN WANOP, NetScaler ADP, or Netscaler Gateway, are urged to study and implement the mitigation steps that can be taken to reduce the impact of the flaw until the patch becomes available.
After examining the commands that Citrix suggests for mitigation, ThreatPost theorizes that the flaw “stems from the VPN handler failing to sufficiently sanitize user-supplied inputs.” Malicious actors using this flaw can bypass the authentication steps and execute arbitrary code within the system. In other words, no passwords are necessary to run exploits.
Researchers urge Citrix customers to check their systems for existing exploits by using the “grep” command to run requests containing “..” or “vpns.”
Citrix further recommends rebooting each device after applying the mitigation commands. While rebooting a device is not necessary to apply the revised policy, the reboot serves as a precautionary step to clear open sessions exploiting the vulnerability.
The company further cautions that nodes removed from a cluster, even those with mitigation applied, become vulnerable because their config and responder policies are cleared in the process of removing the node. Also, any backend webserver resource that contains ‘vpns’ in the directory (including the current admin UI link to /vpns/scripts/vista/*.exe used to download plugins) will be blocked after applying the scripts.
Cisco Vulnerabilities and Patches
Of course, Citrix is not alone in exposure to vulnerabilities.
Cisco Systems has just released patches to fix vulnerabilities in Webex Video Mesh software and their IOS/IOS XE software.
Cisco advises that improper validation within the web-based management interface of Video Mesh might allow an attacker to obtain administrative privileges and access the Linux operating system with root privileges.
While there have not been any observed attacks that try to exploit this flaw, Cisco rates the vulnerability 7.2/10.
The Cisco IOS/IOS XE software flaw rates even higher at 8.8/10 and stems from insufficient cross-site request forgery (CSRF) protection on the web user interface. A successful exploit using this vulnerability would start by persuading a user to follow a malicious link in a phishing attack or on a look-alike website.
Once the user enters their credentials, the attacker could then use those credentials to execute code on the system at the same privilege level of the tricked user.
If the user was an admin, then the attackers then have admin-level rights.
This attack also has not seen any real-life attacks based upon the exploits, but it is highly recommended for Cisco users to update their applicable systems.
Microsoft has likewise issued some critical patches that need to be applied as soon as possible.
The Department of Homeland Security issued emergency directive 20-02 for federal agencies to apply the patches released by Microsoft on Jan. 14, 2020.
One of the two critical flaws fixed by these patches corrects how Windows validates Elliptic Curve Cryptography (ECC) certificates. The flaw allowed for the trust store to be bypassed which might allow for malicious software to appear authentically signed.
By faking the legitimate certification, a malware would then more easily evade anti-virus detection.
The second flaw affected how the Remote Desktop Protocol handles connections requests between the server and the clients. Attackers exploiting this vulnerability could run arbitrary code without authentication or user interaction!
As with the Cisco patches, these upgrades fix flaws that have no known exploits actively being used by attackers. However, also just like the Cisco patches, the severity of the potential consequences leads to strenuous recommendations to apply these updates as soon as possible.
Unfortunately, even applying these patches might not be enough as long as employees keep reusing passwords.
Microsoft conducted a study of the logs of 45,000 workstations running Microsoft Defender Advanced Threat Protection over several months. The study revealed a wide-spread, low volume brute-force attack being applied against Windows systems with open RDP ports.
Hackers typically used automated tools over 2 or 3 days using only a few combinations of usernames and passwords per hour. By using a low volume of attacks attackers were attempting to avoid detection that might cause firewalls to automatically ban their IP addresses.
While 90% of the attacks lasted less than one week, 5% of the attacks were observed to last for over two weeks! Fortunately, for the population under analysis they found only 0.08% of the RDP attacks succeeded in compromising the endpoint.
Over 45,000 devices, 0.08% translates to only 40 machines, but there are many more workstations that have been deployed without Microsoft Defender Advanced Threat Protection and many may have open RDP ports.
This is a strong reminder to IT departments to disable unneeded ports and to apply extra protection to RDP applications.
Microsoft’s analysis flagged specific types of behavior that can be monitored to detect similar attacks:
- Check the hour and day of the week for failed sign-in and RDP connections
- Check the timing of successful sign-ins following failed attempts
- Monitor Event ID 4625 login (filtered to network and remote interactive logins) and failures (filtered to %%2308, %%2312, %%2313)
- Track the count and cumulative count of distinct usernames that fail logins, total failed sign-ins, RDP inbound external IPs, and other machines having RDP inbound connections from one or more of the same IP addresses.
Get the Right Support For Your Business
With new vulnerabilities being found every week, it can be challenging for IT departments to keep up and manage their priorities.
Ideal Integrations offers IT management services to pick up the slack and help your department stay ahead of attackers. Whether you are interested in significant outsourcing or just simple assistance on a specific project, we’re here to help.
Contact us today to get started! Just complete the form below, or call 412-349-6680.