A large security hole in Citrix network devices has been exploited on a large scale for several days. Golem.de tested today which systems in Germany are currently still vulnerable to the vulnerability. There are quite a few systems in German authorities. The Saxon State Parliament, the control centers of the emergency services in Bavaria, the state of Hesse, the federal railway assets belonging to the Ministry of Transport and Digitization. There are also countless companies, universities, hospitals and communities.
The CSU also operates a Citrix server that is now believed to have been compromised in the Bavarian state parliament. The EU also has numerous vulnerable systems on the network, the European Patent Office, the drug agency EMA and the European Police Academy are affected.
There is no absolute basis
The incident shows one thing above all: there is no absolute basis for IT security. This is not about unusual attacks or the need for particularly advanced protective measures. It's simply a matter of: If a serious security vulnerability in a product becomes known and you use the corresponding product, you have to take care of it promptly. Anyone who has not managed to do this less than a month after a gap became known makes it clear that IT security does not matter.
The gap, which is now also known as Shitrix, has been known since December 17. Since then, the manufacturer has also provided instructions on how to block attacks. Golem.de reported about it last week after the first technical details became known. Since last Friday you can find Exploits freely available on Github, also have large media the topic has now been taken up,
What is special about the gap: It is extremely easy to use, an attack can be carried out in a two-line shell script. According to initial reports there are currently large-scale attacks that install Cryptominer on the affected systems.
We have all informed the above authorities and institutions today about the vulnerable systems. We have received only a few answers so far. The Bavarian State Office for Security in Information Technology informed us by phone that the systems of the rescue control center there were now protected. Of the ten servers affected, seven were still reachable and vulnerable.
Now all you need to do is switch off and try again
If you have not yet updated your systems, you can be almost certain that they are already compromised. There is only one thing left to do: switch off and start from scratch – or do without systems from such a questionable manufacturer.
Because even if that is not an excuse for the sloppy behavior of the authorities: To date, Citrix has not provided an update for the security vulnerability. There is no excuse for that either.