back to article Patch now: Published Citrix applications leave networks of 'potentially 80,000' firms at risk from attackers

A critical vulnerability found in Citrix Application Delivery Controller and Citrix Gateway (formerly known as Netscaler ADC and Netscaler Gateway) means businesses with apps published using these technologies may be exposing their internal network to unauthorised access. Citrix (NetScaler) ADC is a load balancer and …

  1. cbars Bronze badge

    "Any application on any device from any location"

    By anybody!

    1. Paul Herber Silver badge

      Watch out for someone using a sleigh load-balancer over the next few days. Not a black-hat hacker, nor a white-hat hacker, red-hat maybe ...

      1. ds6 Silver badge

        Stop, with the puns, this is a red alert!

        ...

        1. Fruit and Nutcase Silver badge

          At the very least, a red nosed reindeer alert

    2. Anonymous Coward
      Anonymous Coward

      By anybody...

      ...who knows a zero day exploit.

      To be fair, that applies to all software. Patch and move on people :)

      1. Anonymous Coward
        Anonymous Coward

        Re: By anybody...

        @"To be fair, that applies to all software. Patch and move on people :)"

        "Ah, the house burnt down, meh it's all in a days work" this level of complacency is unbecoming in someone supposedly taking security seriously.

        Perhaps making certain that code is free of vulnerablities before releasing would be better than having to rebuild the house each time, certainly if you are having to pay the costs.

        1. Anonymous Coward
          Anonymous Coward

          Re: By anybody...

          "Perhaps making certain that code is free of vulnerabilities before releasing would be better than having to rebuild the house each time, certainly if you are having to pay the costs."

          A true Christmas miracle....secure code...

      2. amanfromMars 1 Silver badge

        Re: By anybody...

        By anybody...

        ...who knows a zero day exploit.

        To be fair, that applies to all software. Patch and move on people :) ..... Anonymous Coward

        Of course, some vulnerabilities are abiding exploits which will never have patches available.

        That puts real smart zero days in effective leading command and control ....... which you may note is not a question to suggest the possibility or existence of doubt.

        And such is the exciting nature of future shenanigans. I Kid U Not.

        And a quite surreal and most efficient stealth is provided by the presence of an insistent persistent disbelief.

        Oh, and Merry Xmas, El Regers. ...... Ever onwards and upwards. :-)

        1. ds6 Silver badge
          Mushroom

          Re: By anybody...

          Hey, that was a cohesive post.

          Is the sky falling or is it just me?

          1. amanfromMars 1 Silver badge

            Re: By anybody...

            Howdy, ds6,

            Regarding .. Is the sky falling or is it just me? ..... in the quantum environment are both an experience one can imagine and realise for the birthing and/or berthing of other virtual realities one can driver oneself in the company of others similarly gifted .... or cursed as the case may be in those less than well enough enabled to cope and deal with all manner of such matters.

            Crikey, Jumping Jehoshophat Batman, .... a brace of cohesive posts in as many days. That's definitely progress in deed, indeed.

  2. werdsmith Silver badge

    Perhaps making certain that code is free of vulnerablities before releasing would be better than having to rebuild the house each time, certainly if you are having to pay the costs.

    And when that miracle happens it will be the first time. And we won’t even know it’s happened.

  3. steviebuk Silver badge

    Is this by "breaking out"

    Most of the Citrix setups aren't setup properly. So from a dialogue box, such as a save box, you can browse the local server, run cmd, then run IE or whatever other browser is installed. Then use their server to browse the Internet bypassing any local filtering. Also download all your exploits to that server from itself.

    No one would leave a server so open I hear you say. Yes they would. A finance department were using a very small company to supply them with their finance app. With the main company we were at forcing a move to "cloud" for every department this small company didn't want to loose business so said they now had a "cloud" version of their app. They didn't really. It was just stuck on a server in one data centre. I said I wanted to test it before fully going live. They hadn't implemented 2fa, which they put on after my suggestion. Then once on the server it was easy to break out of the app, browse the server, run whatever you wanted and surf the net to your hearts content. They originally were gonna make it live in that state!

    1. robidy

      Re: Is this by "breaking out"

      It's an unauthenticated remote code execution. Can't see the relevance of the user setup. Not sure I get what ur mumbling...

      1. Anonymous Coward
        Anonymous Coward

        Re: Is this by "breaking out"

        I'm guessing someone is equating an unauthenticated remote code execution flaw with a poorly setup Citrix environment to suggest all Citrix environments are insecure.

        Next they will be using the same post to show how they brilliantly saved the world while still missing the original point...

    2. Anonymous Coward
      Anonymous Coward

      Re: Is this by "breaking out"

      Erm... Windows has functionality to authenticate who is logging in. Then they are logged in - in a similar way to if they log in to a desktop or laptop.

      Being able to run look at files you have permissions to look at, and run web browsers on a computer that you have logged into is not really a security issue. If it is you are doing it wrong.

  4. RobinCM

    SSL VPN?

    Surely it'll be using TLS?

    Why do people insist on calling something by a defunct technology acronym that (almost certainly) isn't even in use in that product?

    1. ds6 Silver badge

      Re: SSL VPN?

      Citrix calls it that, Sonicwall calls it that, elreg too... the hot buzzword is SSL VPN likely because no one has updated their documentation.

    2. Anonymous Coward
      Anonymous Coward

      Re: SSL VPN?

      "Why do people insist on calling something by a defunct technology acronym that (almost certainly) isn't even in use in that product?"

      It gets worse, I was in a pub watching something called "football" and they used both their feet and their heads. Ridiculous isn't it?

      And when are they going to release HTTPT?

    3. robidy

      Re: SSL VPN?

      Based on Heinz failed attempt to rebrand Salad Cream to sandwich cream, I'm not sure there's any hope that TLS will replace SSL, for vpn's or secure web access in the public's eyes, in the next decade or two ha ha.

      Plus ignoring the technical geekery, there is something comforting about SSL the public will always love...however mis-guided.

  5. TimMaher Silver badge
    Pint

    Merry Citrix everybody!

    There is very mystic, Christmassy feel to comments on this article.

    Wekl done commentards.

  6. Simonrowan

    Slapdash Citrix

    Ever since xendesktop 7 was released, the product has been utter tosh. Released too early with a sub standard featureset full of bugs and now security flaws. The product of cheap and agile software development. It's ok it will be a good.product 8 years after initial release

  7. g-lock

    Unauth'd RCE

    This one scared the shit out of me when it dropped last week. Not much detail was forthcoming in the vulnerability writeup, but the mitigation is to put a Responder filter in to prevent what appears to be directory traversal. That would be pretty trivial to exploit.

  8. Anonymous Coward
    Anonymous Coward

    Checking if the exploit has been used

    Has anyone identified a way to check if the exploit has been used?

  9. andy mcandy

    I wonder if this is the vuln used for the Travelex "virus". The timing is right :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like