We looked into the exploits and patch information of the top 10 routinely exploited vulnerabilities that the U.S. Cybersecurity Infrastructure and Security Agency (CISA) published on May 12, 2020. Table 1 lists the details. If a CVE has multiple exploits in Exploit Database, the exploit publication date is based on the earliest published exploit. The patch information is obtained from the vendor advisory pages. In this smaller sample set, 10% of the exploits are zero-day and 40% of the exploits are available in the first week after the patch release. These numbers match the statistics drawn from Figures 4 and 5. The percentage of zero-day exploits or exploits published before the CVE disclosure is lower than what we observed in the larger sample because the most exploited vulnerabilities often affect prominent vendors such as Microsoft and Adobe, who can resolve vulnerabilities and release updates much faster than many other affected vendors . Many third-party vendors or open-source projects do not have sufficient resources to handle newly reported vulnerabilities and end up having exploits reach the public before the patches or CVE publication.

Questions to the community and to Citrix directly:Question to Citrix: I would like a 100% statement if NetScaler devices in the Citrix Cloud were attacked. If so, what measures were taken?Question to Citrix: Were all partners fully informed with all technical details about the vulnerability and potential threats - by that I do not mean the reference to the single document "CTX267679 - Mitigation steps for CVE-2019-19781". There is no clear recommendation from Citrix on how to act in case of a vulnerability.Question to Citrix : Due to the vulnerability, the configuration data of NetScaler, passwords of nsroot, and passwords of ALL users who have ever logged in via NetScaler at some point in time have been transferred to the outside world. What action does CITRIX recommend? Exact details please!Question to Citrix :Some NetScalers/ADC use the FreeBSD operating system as Linux system. However, the corresponding version of the NetScaler operating system is "OUT-OF-DATE". When will there be changes and updates?According to the manufacturer, security updates will not be available until the end of January 2020, depending on the version branch of the affected products. These should then be installed as soon as possible, according to Citrix I Seriously wonder why it takes about 6 weeks to close such a large security hole, which was known since 17.12.2019. That can only mean that:1. Citrix itself is not technically capable of handling the problem2. Citrix does not have sufficient trained personnel to deal with the problem as quickly as possible3. Citrix may be pushing the "cloud" strategy. Perhaps the statement "This wouldn't have happened in the cloud" will come in mid-February - let's see what else we can expect.In Germany alone, almost 5,000 vulnerable Citrix systems accessible from the Internet have been reported to German network operators in the past few days. Currently, around 1,500 of these are still vulnerable to attackers. (Source BSI). Worldwide, about 40,000 systems are likely to be affected. Unfortunately Citrix reacts slowly, workarounds and patches are not offered comprehensively and solutions are recommended. A "shutdown" of the systems is certainly no solution, but at most a "workaround".Citrix provides an analysis tool (CTX269180) for a potential attack. But Citrix also says:"Please note that the tool is not designed to detect the vulnerability against the NSIP or other Management IPs" - well, have fun with it, wouw!

Exploits Published For Citrix ADC Vulnerability, Patches Coming Soon

2ff7e9595c