CVE-2019-19781

AWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.

At the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.

If you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs

This vulnerability appears to be based on a web request to a /vpns/ resource containing a directory traversal reference. The traversal reference seems to grant access to the admin portal. This specifically is blocked by the skip_systemaccess_policyeval flag in the interim fix published by Citrix. Based on what information is available publicly, the vulnerability can be exploited to gain code execution on the Citrix server without authentication information. This would be very useful to an attacker because it could be exploited remotely, without authentication and due to the nature of Citrix servers often having a lot of traffic which could facilitate an attacker’s efforts to obfuscate their activity.

In some environments, Cirtix servers may not be patched as frequently as other systems due to their mission critical nature of providing applications for external users. In this case, attackers may have an easier time in escalating their privileges once code execution has been obtained. This would only be necessary if the initial vector did not already yield NT_AUTHORITY\SYSTEM privileges which the current information does not specify.

Numerous public reporting on this being leveraged to enter org perimeter appliance.

There are now public exploits for this and it is now reliable and low-risk to exploit. More info at https://www.reddit.com/r/blueteamsec/comments/en4m7j/multiple_exploits_for_cve201919781_citrix which is a pretty reasonable approximation for how this AKB entry would ideally look :) Also of note, https://twitter.com/buffaloverflow/status/1216807963974938624 mentions a number of files of interest to an attacker.

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

• Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP
  
• Mitigation: Update affected Citrix devices with the latest security patches

This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF