Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688
Last Updated: 2020-07-09 12:12:24 UTC
by Johannes Ullrich (Version: 1)
I just can't get away from vulnerabilities in perimeter security devices. In the last couple of days, I spent a lot of time with our F5 BigIP honeypot. But looks like I have to revive the Citrix honeypot again. As of today, my F5 honeypot is getting hit by attempts to exploit two of the Citrix vulnerabilities disclosed this week . Details with proof of concept code snippets were released yesterday .
It is not clear exactly which CVE was assigned to which vulnerability, but the possible candidates are CVE-2020-8195, CVE-2020-8196,
The first issue, probably the more severe one, is allowing for arbitrary file downloads. I see this issue currently exploited from just one IP address: 126.96.36.199 (Amazon.. my honeypot must have Amazone Prime to get exploits next day).
POST /rapi/filedownload?filter=path:%2Fetc%2Fpasswd HTTP/1.1
The second vulnerability (which I don't think has a CVE assigned to it, but I will update this diary if I find one), allows retrieval of a PCI-DSS report without authentication. Actually... you still need to "authenticate" I guess, by adding "sig_name=_default_signature_" to the URL :/.
The full request I see being used (just the Apache log):
POST /pcidss/report?username=nsroot&set=1&type=allprofiles&sid=loginchallengeresponse1requestbody HTTP/1.1" 404 211 "-" "python-requests/2.19.1"
Interestingly: So far, most of the IPs that are scanning for this vulnerability belong to "hostwindsdns.com"
The vulnerability isn't all that "bad" (I have to look if the report leaks anything specific). It is not allowing access to anything else. But it could very well be used to identify unpatched devices. Some of the other vulnerabilities patched with this update are "interesting", but more tricky to exploit.
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute