Hello and welcome to the Wednesday, December 20th,

2020, 3 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

This morning I was going over the logs in one of my honeypots

and saw a log entry that we don't really see much in our general

logs from all of our other honeypots, but this particular honeypot got hit pretty strongly

for this one URL, and that URL was essentially the Open ID configuration file, a commonly exposed file,

so there's not a file that's supposed to be secret on servers that run open ID. And I was

wondering a little bit, why did this happen? Well, it turns out that in this particular case,

it was actually related to Citrix Leighton.

I didn't know this is originally when I posted it, so I really just post it as a question what this URL is about.

Dustin Decker was nice enough to point out that this is related to Citrix bleedplete, the vulnerability that does allow an attacker to essentially read memory from Citrix servers.

CitrixSplete, I think I covered it a couple times before, but the way the attack works is

that an attacker has to hit one of these specific URLs and provide an overly large host name.

In that case, the exploit works a little bit similar to what we had with Heartbleed,

that random memory is being dumped back to the attacker.

That memory may include things like cookie information with session

IDs that can then be used to take over the instance of Citrix if a user with the right

privileges was logged in. And just as a side note here, this vulnerability is actively being

exploited. Comcast just announced a

breach and apparently Citrix Bleed was one of the ways how they were able to penetrate Comcast's

network. Interestingly, all the four IP address that I saw scanning pretty hard for this

...