A month after the publication of information about a dangerous vulnerability in Citrix software that threatened 80 thousand companies in 158 countries, one fifth of companies still did not take measures to eliminate the vulnerability.This can be concluded from the threat intelligence monitoring, conducted by Positive Technologies employees.
The critical vulnerability CVE-2019-19781 in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) in December was discovered by Positive Technologies experts.
“At the end of 2019, the United States leaded in the list of potentially vulnerable organizations (more than 38% of all vulnerable organizations), followed by Germany, the United Kingdom, the Netherlands and Australia”, – the experts say.
As was previously reported, there was even a mysterious hacker – some sort of a Robin Hood, which patched a server with this vulnerability. On January 8, 2020, was published an exploit that allows a hypothetical attacker to automate attacks on companies that have not fixed this vulnerability.
“Citrix developers planned to completely eliminate the problem between January 27 and January 31, but released a series of patches for different versions of the product a week earlier. It is important to install the necessary update as soon as possible, and until then, adhere to the Citrix security recommendations that have been available since the publication of the vulnerability information”, – warns PT Expert Security Center.
Overall, the dynamics of eliminating vulnerabilities is positive, but 20% of companies still remain in the risk zone. The top of countries in terms of the number of potentially vulnerable organizations today include Brazil (43% of the companies in which the vulnerability was initially identified), China (39%), Russia (35%), France (34%), Italy (33%) and Spain (25%). The best dynamics demonstrated the USA, Great Britain and Australia: in these countries locate only 21% of companies that continue to use vulnerable devices and do not take any protective measures.
Recall that in the case of exploiting a vulnerability, an attacker gains direct access to the company’s local network from the Internet. To carry out such an attack, access to any accounts is not required, which means that it can execute any external intruder.
Companies can use application-level firewalls to block a possible attack. Such screens detect an attack “out of the box”: the system should be switched to the blocking mode of dangerous requests for protection in real time.
Also, I will remind you about the importance of using reliable antivirus software.
Considering the total lifespan of the identified vulnerability (it has been relevant since the release of the first vulnerable version of the software in 2014), identification of possible facts of exploiting this vulnerability (and, accordingly, infrastructure compromise) is becoming relevant in retrospect.