|
@0xDUDE | |||||
|
There is a high probability that Citrix ADC servers with no mitigation applied on or after January 9, 2020, have been taken over and their TLS certificates and associated keys have been stolen. [2/2]
Please patch AND revoke your certificates.
|
||||||
|
||||||
|
Victor Gevers
@0xDUDE
|
15. sij |
|
Since December, @GDI_FDN has reported over 98 thousand vulnerable Citrix Netscalers to their organizations or their ISP and monitoring over 120 thousand servers. The Dutch Security Hotline of @DIVDnl is reporting vulnerable instances in the Netherlands. securitymeldpunt.nl/2020/01/15/How… pic.twitter.com/BOIxMXzkbT
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
15. sij |
|
There are roughly 37 thousand Citrix #Shitrix devices online, which are still vulnerable (CVE-2019-19781). In the last 48 hours, we noticed a quick decline of vulnerable devices from 89 thousand to 37 thousand. Just a few more days and this mess could be cleaned up? :-) pic.twitter.com/q1cwMwYOLA
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
17. sij |
|
The amount of vulnerable Citrix #Shitrix endpoints is going down. Our latest scan (made from 13.95.153.127 and 137.117.226.20) detected 17,613 which are still vulnerable.
Newly added (honeypot) hosts added after December are ignored. pic.twitter.com/RenUqtbQOk
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
17. sij |
|
In about 5 minutes, a new scan to search for vulnerable Citrix #Shitrix endpoints will run again. So if you see 104.45.30.171 touching your Citrix server, then please don't panic. We are the good guys. Have a great weekend! :-) pic.twitter.com/SrTQ6lqI5q
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
17. sij |
|
The amount of vulnerable Citrix #Shitrix endpoints went down again today. There are 16,466 vulnerable endpoints left. 1,147 endpoints are not vulnerable anymore since yesterday. pic.twitter.com/I0yfUVOUyq
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
18. sij |
|
Today's scan shows that 15,626 Citrix endpoints are still vulnerable.
docs.google.com/spreadsheets/d…
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
19. sij |
|
The weekend is over. Today's scan shows there are 15,602 vulnerable Citrix servers online. The amount of honeypots is steadily increasing while the amount of vulnerable servers is going down.
docs.google.com/spreadsheets/d… pic.twitter.com/1eOkKUvqN1
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
20. sij |
|
We are still monitoring the progress of the Citrix #CVE201919781 and the mitigation of it. 12 hours ago Citrix published updates and new fixes. Since 10:00 CET there 14,564 vulnerable endpoints online. pic.twitter.com/Yyge63UWV1
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
20. sij |
|
17 hours ago, Citrix published updates & new fixes for #CVE201919781. 14,180 are still vulnerable. There are sensitive networks unpatched out there. With only a few volunteers we are trying to help (remotely) these organizations that are behind or stuck in the mitigation process. pic.twitter.com/6OkZ5wt7wS
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
22. sij |
|
The Dutch Security Hotline of @DIVDnl made a first analysis of the scan data collected on the night of January 9 to 10 shows that of the more than 700 vulnerable Citrix servers identified in the Netherlands, over 450 used wildcard certificates. [1/2]
securitymeldpunt.nl/cases/202002-W…
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
22. sij |
|
Indicator of Compromise Scanner for CVE-2019-19781. Autility for detecting compromises of Citrix ADC Appliances. twitter.com/cglyer/status/…
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
23. sij |
|
Citrix ADC (NetScaler) Honeypot. Supports detection for CVE-2019-19781 and login attempts.
Detects and logs payloads for CVE-2019-19781 (Shitrix / Citrixmash)
Logs failed login attempts
Serves content and headers taken from a real appliance. twitter.com/x1sec/status/1…
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
23. sij |
|
🎵 11,704 Citrix servers with CVE-2019-19781 on the net, 11,704 Citrix servers with CVE-2019-19781.
Patch 332 down, Mitigate it around, 11,372 Citrix servers with CVE-2019-19781 on the net... 🎵
docs.google.com/spreadsheets/d… pic.twitter.com/12L8PHOekV
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
24. sij |
|
CVE-2012-4606 Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest OS to gain elevated privileges.
twitter.com/cvenew/status/… pic.twitter.com/ZO2wJ3Yr0I
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
24. sij |
|
|
||
|
Victor Gevers
@0xDUDE
|
24. sij |
|
|
||
|
Victor Gevers
@0xDUDE
|
25. sij |
|
|
||
|
Victor Gevers
@0xDUDE
|
26. sij |
|
"Patching the Citrix ADC Bug Doesn't Mean You Weren't Hacked" by @Ionut_Ilascu
twitter.com/BleepinCompute…
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
1. velj |
|
Detecting Citrix CVE-2019-19781 via @USCERT_gov
us-cert.gov/ncas/alerts/aa…
|
||
|
|
||
|
Victor Gevers
@0xDUDE
|
1. velj |
|
"We checked the Netscaler logs and found no evidence of successful exploitation of the vulnerability. Why are you suggesting to redeploy it with new credentials and new certificates?"
This is the/etc/password file of your server. Did you not see this in your log files? RCE =☠️ pic.twitter.com/yDJfhXfyLL
|
||
|
|
||