Last month, Citrix announced that their Citrix Application Delivery Controller (ADC) and Citrix Gateway have a vulnerability that allows unauthenticated remote attackers to execute code on vulnerable gateways. If attackers successfully exploit this vulnerability, they can take complete control of affected gateway servers. Tens of thousands of businesses worldwide are exposed due to this flaw. And now, POC code is publically available on GitHub making exploitation even easier.
Affected customers were advised to follow provided mitigation steps and then upgrade all of their vulnerable appliances to a new version of the appliance firmware later this month. But the real question is, why are we still using these arcane constructs to provide remote access to our most valuable corporate assets? How many VPN-related breaches must organizations endure before they finally say enough to solutions that cannot deliver sufficient security?
Why is it important?
This particular gateway appliance sits at the edge of a company’s network and is a critical entry point to the internal network. Any attacker compromising one of these gateways can laterally move into the corporate network and comprise other critical systems. It is essentially the equivalent of leaving the front door to the perimeter unlocked and unguarded.
CVE-2019-19781: This particular vulnerability is also a very trivial mistake which raises a tremendous amount of doubt on whether Citrix has any secure coding practices in place. The exploitation of the vulnerability requires no special skills, anyone can run one of the exploit scripts to get a remote shell, making it a very attacker-friendly vulnerability with a 100% success rate on the first attempt. To add insult to injury, researchers also found out that the LDAP password stored in the Citrix gateway is encrypted with a fixed key and can be easily decrypted which can be used to dump all corporate users and further leveraged to compromise Active Directory where all users and their passwords are stored within the organization.
Fyde’s take on the issue
“We haven't witnessed an SDLC failure at this scale since the Palo Alto Networks GlobalProtect remote code execution vulnerability, yet another legacy VPN. Once again, legacy security software at critical vantage points such as Internet gateways remains to be your greatest security risk. Device and service identity and authentication flows which are essential parts of the Zero Trust architecture principles would have mitigated the pre-auth and remote exploitation of such a trivial vulnerability. Endpoints that are not authenticated with a company-issued device certificate should not be able to talk to your enterprise internet gateway. It is an unthinkable failure in this new decade. It is high time to dump legacy VPN and switch to a continuous-authentication and granular, role-based authorization solution built on Zero Trust,” - said Sinan Eren, Founder, and CEO at Fyde.
Why Zero Trust is the answer
Zero Trust is the modern concept of secure access to resources on corporate networks. It helps establish unparalleled access control across users and devices without the performance and security pitfalls of a traditional VPN.
Zero Trust supports remote, conditional, and contextual access to resources and reduces over-privileged access and associated third-party risks. It allows employees, and partners to access corporate apps and cloud workloads without creating additional attack surfaces. Most importantly, it helps eliminate the pain and time associated with credential management and the potential repercussions of privileged access misuse.
Security isn’t an afterthought
“These incidents remind us that security is never absolute and should never be taken for granted.
It is extremely important to get the fundamentals right: always assume that any system can be compromised and make sure to get monitoring in place. Zero Trust principles can help. Don't forget that any tool added to your security arsenal needs to be regularly updated and maintained, and try to contain each resource with its own set of policies to minimize attack surface and risk,” says Luisa Lima, Founder, and VP Engineering at Fyde.