I just can't get away from vulnerabilities in perimeter security devices. In the last couple of days, I spent a lot of time with our F5 BigIP honeypot. But looks like I have to revive the Citrix honeypot again. As of today, my F5 honeypot is getting hit by attempts to exploit two of the Citrix vulnerabilities disclosed this week . Details with proof of concept code snippets were released yesterday .
It is not clear exactly which CVE was assigned to which vulnerability, but the possible candidates are CVE-2020-8195, CVE-2020-8196,
The first issue, probably the more severe one, is allowing for arbitrary file downloads. I see this issue currently exploited from just one IP address: 188.8.131.52 (Amazon.. my honeypot must have Amazone Prime to get exploits next day).
The second vulnerability (which I don't think has a CVE assigned to it, but I will update this diary if I find one), allows retrieval of a PCI-DSS report without authentication. Actually... you still need to "authenticate" I guess, by adding "sig_name=_default_signature_" to the URL :/.
The full request I see being used (just the Apache log):
Interestingly: So far, most of the IPs that are scanning for this vulnerability belong to "hostwindsdns.com"
The vulnerability isn't all that "bad" (I have to look if the report leaks anything specific). It is not allowing access to anything else. But it could very well be used to identify unpatched devices. Some of the other vulnerabilities patched with this update are "interesting", but more tricky to exploit.Intrusion Detection In-Depth - SANS Baltimore Spring: Virtual Edition 2021
Jul 9th 2020
|Thread locked Subscribe||
Jul 9th 2020
9 months ago