Hello, welcome to the Friday, July 10th, 2020 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Yesterday I mentioned how the Citrix vulnerabilities became somewhat more important because Donny Maslund did publish

a blog post with additional details about how to exploit these vulnerabilities. Well,

it turns out that this morning our honeypots did see a scan from actually only a very small number of sources, but they were scanning

for two of the vulnerabilities, one that can be used to read arbitrary files, and a second one that

does retrieve a PCI-DSS compliance document without authentication.

Now, the file that these exploit attempts retrieved with Etsy password,

Etsy password, of course, does not contain any passwords, but usernames.

I really rank this more sort of as a reconnaissance scan

where someone is just checking whether or not these systems are vulnerable.

Our honeypots actually were still configured to act as F5 Big IP devices, so they just responded

with 404 errors to these requests.

And talking about F5 Big IP, one configuration change I made to our Honeypots

this morning was to configure them to be essentially patched systems with the workaround applied,

so they also returned 404 errors to these exploit attempts for the F5 vulnerabilities.

I didn't see any query that would try to bypass the workaround,

so that may still be fairly rare and not something the internet is sort of scanned for at large.

Now, in an added development to the Crix vulnerability, Donnie Maslin also now published

a YouTube video showing how the cross-site scripting vulnerability that had been patched by

Citrix can be leveraged to get full remote code execution.

Now, there isn't a lot of detail, it's really just a video demo without showing any of the underlying code other than sort of a couple of hints as to, for example, what error messages

...