CVE-2020-8193, CVE-2020-8195, and CVE-2020-819: Active Exploitation of Citrix Vulnerabilities

Following active exploitation against F5 BIG-IP devices, exploit attempts targeting newly disclosed vulnerabilities in Citrix products have begun, which include potential extraction of VPN sessions on vulnerable targets.

On July 7, Citrix disclosed 11 new vulnerabilities in the Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliance devices. Following the disclosure of these vulnerabilities, Citrix published a blog post noting that there were some barriers to exploitation, but encouraged customers to apply the security fixes as soon as possible. Shortly after the disclosure, Dr. Ullrich of SANS Internet Storm Center (ISC) detected unidentified exploit attempts leveraging some of these vulnerabilities, which appeared to be probing for vulnerable devices.

Of the 11 vulnerabilities patched by Citrix, attackers are attempting to exploit the following CVEs in the wild:

CVE-2020-8193 is an authorization bypass vulnerability in the management interface on the device’s NSIP address. The NSIP address is a specific device IP address dedicated to the management interface for Citrix devices. An attacker could send a specially crafted request to the NSIP address that bypasses the administrator login and gain direct access to the device.

CVE-2020-8195 and CVE-2020-8196 are information disclosure vulnerabilities found in the management interface with either user access or after exploiting the auth bypass on the device. By sending a specially crafted HTTP request, an attacker could retrieve important device information like configuration files. At this time, it’s unknown which of these two vectors are specifically being used to target victims due to the similarities between the vulnerabilities. 

Tenable strongly recommends applying these patches as soon as possible, especially now that active exploitation has been observed in the wild.

For more information about the vulnerability, including the availability of patches and Tenable product coverage, please visit our blog.