The Internet has been on fire for the last week, as a vulnerability in Citrix appliances was actively attacked. In the Netherlands, the National Cyber Security Center advised organizations to switch off Citrix networking appliances. Dutch
Now that organizations are switching them back on to patch the affected systems, they may be in for another surprise when they use these devices in combination with Microsoft’s Azure MFA NPS Extension: People using text messages as multi-factor authentication method are still locked out.
About the vulnerability in Citrix appliances
Citrix ADC appliances and Citrix Gateway servers, formerly known as Citrix NetScaler appliances, and Citrix SD-WAN WANOP appliances are vulnerable to a remote code execution bug that might provide access to sensitive data and system data.
An attacker can exploit this vulnerability, known as CVE-2019-19781, to gain root access to these devices. An attack does not require access to (leaked) credentials. Any attacker can exploit this vulnerability with the exploit code snippets available on the Internet.
On Sunday January 19th, 2020, Citrix has provided an update to patch Citrix appliances running versions 11.1 and 12. Patches for versions 10.5, 12.1 and 13 are expected before the end of January 2020.
About the Azure MFA NPS Extension
Microsoft's Azure MFA service allows for multi-factor authentication as a requirement for access to Azure AD-integrated applications, systems and services. However, some applications, systems and services cannot be integrated.
For these systems, if they support RADIUS, they can be connected to a Network Policy Server (NPS) running on Windows Server.
The Network Policy Server (NPS) extension for Azure MFA can be used in this scenario to add cloud-based MFA capabilities. With the NPS extension, admins can add phone call, text message, or phone app verification to the existing RADIUS flow.
Citrix' Patch may break RADIUS' challenge-response flow
What several people and some of our customers are experiencing is that Citrix' patch, updating the firmware of their appliances to version 126.96.36.199, breaks the RADIUS' challenge-response flow of traffic. In the logs, people are seeing RADIUS access requests sent to the Network Policy Server containing the username and password. But when the RADIUS server sends back the access challenge, the Citrix appliance stops responding.
The Azure MFA NPS Extension uses this challenge-response flow when people are using text message as their multi-factor authentication method; The person has to type in the One-time Passcode (OTP) that was sent to the mobile device in an additional field.
This method breaks. People using text messages as their multi-factor authentication method still can't access the back-end infrastructure protected by the Citrix appliance(s). Using OTPs with the Microsoft Authenticator App and third-party authenticator apps (authy, Google Authenticator, etc.) may also be broken, but we haven't come across people using these methods, yet.
How to deal with this situation
There are several ways to deal with this situation:
Uninstalling the Citrix update
Obviously, uninstalling the Citrix update is not an option. The vulnerability that is patched is already actively exploited. Waiting another couple of weeks or months for another update from Citrix to patch this unwanted behavior is also a gloomy prospect.
Creating a new RADIUS profile
The first valid way to handle this situation is by creating a new RADIUS profile. For many organizations, this seems to solve the situation. It's been a solution known to Citrix admins for the situation when RADIUS suddenly fails after an update.
Switch to non-challenge-response methods
Another way to handle this situation is to help people make the switch from one of the affected multi-factor methods. The Azure MFA NPS extension offers additional methods that people can use for multi-factor authentication that don't rely on input of an OTP in the Citrix interface:
- Phone call
- Microsoft Authenticator (in verification mode)
As long as the method used by people doesn't use a challenge-response method interacting with the Citrix appliance to input a One-time Passcode, they can successfully perform multi-factor authentication and meet the requirements to access the resources protected by the Citrix appliance(s).
To find out the Azure multi-factor authentication methods used by people in your organization, use the information in my blogpost Getting to know the colleagues using Azure Multi-Factor Authentication. This will quickly provide insights on the impact of the above situation.
Every multi-factor authentication method has its pros and cons. Choosing the right Azure MFA authentication method for each affected person, within the scope of available methods within the organization is a delicate art. Find out how to choose the right Azure MFA method.
Switch to modern authentication methods
As detailed above, the Azure MFA NPS extension is intended to provide multi-factor authentication, based on the legacy RADIUS protocol. RADIUS is proven technology, but newer methods are available to provide authentication to (web) applications:
- Publishing the back-end application, system or service through the Web Application Proxy as part of a Windows Server 2016-based (or newer version) Active Directory Federation Services (AD FS) farm, using the built-in Azure MFA AD FS Adapter.
- Creating a Relying Party Trust (RPT) for the back-end application, system or service to a Windows Server 2016-based (or newer version) Active Directory Federation Services (AD FS) farm, using the built-in Azure MFA AD FS Adapter.
- Publishing the back-end application, system or service through the Azure AD Application Proxy, leveraging Azure AD's Conditional Access feature to require multi-factor authentication.
- Creating a Relying Party Trust (RPT) for the back-end application, system or service to Azure AD, leveraging Azure AD's Conditional Access feature to require multi-factor authentication.
- On Citrix NetScaler devices running version 11.0 or above and equipped with the AAA module, you can switch from RADIUS authentication to a SAML-based Relying Party Trust (RPT) towards AD FS or Azure AD. This switch implies switching all back-end applications, systems and services in terms of authentication and should not require any changes to these applications, systems and services themselves.
- Citrix NetScaler devices running version 13 or above and equipped with the AAA module, can be used as a full-fledged Web Application Proxy for the AD FS farm and publish back-end applications, systems and services this way. Technical Preview Again, this switch implies switching all back-end applications, systems and services in terms of authentication and should not require any changes to these applications, systems and services themselves.
To remediate the situation, you can migrate the application, system or service over to one (or more) of the newer authentication methods.
We're closely watching reports coming in. At this point in time, it seems that:
- Only Citrix' patch for version 11.1 seems affected.
- Only challenge-response multi-factor authentication methods relying on OTPs entered in the NetScaler authentication interface are affected, including text messages, Authenticator app OTPs and hardware tokens.