Jump to content
Welcome to our new Citrix community!

CVE-2019-19781 - exploited Wildcard-Certificates List


Jens Ostkamp

Recommended Posts

Hey everyone,

 

probably you guys have to deal with the aftermaths of the well known CVE, so I hope someone has some time to answer my question:

 

I've come across a "list" of "exposed" Wildcard Certificates on the internet. As we know compromised ADC appliances held the private key of our (wildcard)certificates, so if an appliance got hijacked it is likely that the attacker could also obtain this critical information. 

So far so bad - i have patched around 30 appliances these days (and some time before hotfixed the same amount) and of course I've always checked with all the tools, scans and bash commands i could find to look after a possible attack on the appliances. Some were compromised, some not. Now to my question again - https://github.com/tijlvdb/wildcarded-citrix-2020/blob/master/exposed_wildcards.txt this list of possible exposed wildcard certificates got my attention, especially since there is another site around which basically checks for exposed certificates or unpatched appliances as well (and i think regarding the certificate check it relates to this database). Now my problem with this list is, that I can find certificates of appliances belonging to me (or my clients) which never showed any sign of attack, i have been really fast like implementing the workaround the day it got released and patched the appliance of course as well as soon as the patches were available. Still, certificates belonging to these appliances show up there which confuses me a bit, because I can rule out almost certainly a successful attack. On the other hand, as i wrote I had some compromised appliances which definitely should show up on that list (or the certificates belonging to these appliances) but they don't. 

Does any one of you know how trustworthy this list is or how the information of these certificates got there? Because i find this really disturbing, I could understand if i found certificates there belonging to one of the compromised appliances I manage, but as I described it doesnt make many sense to me and I am not sure if I should re-deploy all of those appliances belonging to these certificates or if its a false alarm. 

Would be really grateful if someone could give me a hint here.

 

Thanks very much in advance!

 

best regards

 

 

edit: now just as i wrote the post the github link doesnt seem to work anymore.

The site which I checked against (and mentioned above regarding the database, which is now not available anymore as it seems) is: https://cve-2019-19781.azurewebsites.net/ I think this site got mentioned a couple of times on other articles about this CVE as well, so I don't know how relatable it is

Link to comment
Share on other sites

Hey,

 

thank you for your reply. As we had documented cases where clients of us got attacked before even Citrix made the vulnerability public and other cases where log-files got manipulated /deleted. Thats why we will re-install every appliance in the wild, no matter if we could detect a successful attack or not - since this vulnerability was exploitable since ever we won't take any risks, even though it's not really a trust-supporting thing for our clients regarding Citrix reputation

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...