When Positive Technologies reported a serious flaw in a core element of the Citrix architecture just before Christmas, they predicted up to 80,000 businesses could be at risk.
If that vulnerability is exploited, attackers obtain direct access to the company’s local network from the Internet. This attack does not require access to any accounts, and therefore can be performed by any external attacker.
~ Positive Technologies
With the turn of the new year, a security researcher who has deployed honey pots on the web is reporting scans that indicate attackers are trying to exploit the vulnerability that has not yet been patched by Citrix.
The flaw in the Citrix Application Delivery Controller affects all support versions and platforms. The problem is a directory traversal vulnerability which can be leveraged to achieve code execution (CVE-2019-19781). Since Citrix systems are typically deployed to the public internet as remote access solutions, the risk is particularly serious.
A patch has not yet been provided by Citrix, however they have issued a range of mitigation steps which they strongly advise customers to implement. Users could also configure a web application firewall to further block the malicious traffic that includes ‘/../vpns/’ or ‘/vpns/cfg/smb.conf’.