tl;dr

Citrix disclosed on July 7th, 2020 a number of vulnerabilities in the Application Delivery Controller. This blog is a summary of what we know as the situation develops.

About the Research and Intelligence Fusion Team (RIFT):
RIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat intelligence, ranging from IoCs and detection capabilities to strategic reports on tomorrow’s threat landscape. Cyber security is an arms race where both attackers and defenders continually update and improve their tools and ways of working. To ensure that our managed services remain effective against the latest threats, NCC Group operates a Global Fusion Center with Fox-IT at its core. This multidisciplinary team converts our leading cyber threat intelligence into powerful detection strategies.

SANS Reporting

SANS initially reported on July 9th that they saw initial scanning activity but it was unclear for which vulnerability.

Combination of Two Vulnerabilities

Two issues if combined can result in remote compromise, namely:

• CVE-2020-8193 – an authentication bypass
• CVE-2020-8195 and CVE-2020-8196 – but at this time unclear which

We have seen these two issues combined:

Impact and Advice

NCC Group’s RIFT have been able to achieve compromise in certain, at the moment, esoteric configurations.

Our advice is that patches should be deployed as soon as is possible.

Change Log

July 10th, 2020 @ 13:50 – v1.0 – Initial version

Published July 10, 2020