Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688

I just can't get away from vulnerabilities in perimeter security devices. In the last couple of days, I spent a lot of time with our F5 BigIP honeypot. But looks like I have to revive the Citrix honeypot again. As of today, my F5 honeypot is getting hit by attempts to exploit two of the Citrix vulnerabilities disclosed this week [1]. Details with proof of concept code snippets were released yesterday [2].

It is not clear exactly which CVE was assigned to which vulnerability, but the possible candidates are CVE-2020-8195, CVE-2020-8196, 

The first issue, probably the more severe one, is allowing for arbitrary file downloads. I see this issue currently exploited from just one IP address: 13.232.154.46 (Amazon.. my honeypot must have Amazone Prime to get exploits next day).

POST /rapi/filedownload?filter=path:%2Fetc%2Fpasswd HTTP/1.1 

The second vulnerability (which I don't think has a CVE assigned to it, but I will update this diary if I find one), allows retrieval of a PCI-DSS report without authentication. Actually... you still need to "authenticate" I guess, by adding "sig_name=_default_signature_" to the URL :/. 

The full request I see being used (just the Apache log):

POST /pcidss/report?username=nsroot&set=1&type=allprofiles&sid=loginchallengeresponse1requestbody HTTP/1.1" 404 211 "-" "python-requests/2.19.1"

Interestingly: So far, most of the IPs that are scanning for this vulnerability belong to "hostwindsdns.com"

Current IPs:

23.254.164.181
23.254.164.48
43.245.160.163
104.168.166.234
104.168.194.148
142.11.213.254
142.11.227.204
192.119.73.107
192.119.73.108
192.236.162.232
192.236.163.117
192.236.163.119
192.236.192.119
192.236.192.3
192.236.192.5
192.236.192.6

The vulnerability isn't all that "bad" (I have to look if the report leaks anything specific). It is not allowing access to anything else. But it could very well be used to identify unpatched devices. Some of the other vulnerabilities patched with this update are "interesting", but more tricky to exploit.

[1] https://www.citrix.com/blogs/2020/07/07/citrix-provides-context-on-security-bulletin-ctx276688/
[2] https://dmaasland.github.io/posts/citrix.html

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|

Johannes

3908 Posts
ISC Handler
Jul 9th 2020

Sign Up for Free or Log In to start participating in the conversation!