Citrix—one of the world’s largest networking and remote access technology companies—announced patches for a known vulnerability more than one month after it was announced. It is a $15BN company that more than 400,000 companies, including many of the Fortune 500, rely upon to keep their data safe and networks secure.
The flaw was identified on December 17, 2019 and affected two of Citrix’s most popular products, including its VPN tool. Citrix was not entirely clear about the potential opening this provided to hackers saying, “it could allow an unauthenticated attacker to perform arbitrary code execution.”
It’s likely this patch was too late for some of Citrix’s customers. According to FireEye, an unknown hacker, or set of hackers, was exploiting the vulnerability in a Citrix product, cleaning up other malware on that network, and planting their own code, likely as a backdoor for future access. The extent of the potential damage already caused or enabled by this vulnerability is not known.
Companies rely upon Citrix to secure their networks or, as the company says, “giving IT the peace of mind that critical systems will always be accessible and secure.” As companies have accelerated digital transformation efforts, the common assumption was that outsourcing network security to a company like Citrix was the right security move.
This followed Citrix’s most recent publicly announced breach in March 2019. As stated in past research, “If a company like Citrix had a serious outage, we would take a step toward a systemic risk problem. Consider the (previous) breach to be a mere warning shot that companies dependent on this infrastructure should heed and get a firm understanding of how such a risk impacts the business.” See previous research notes about fundamental weakness in the digital infrastructure of companies.
The Citrix issue is representative of the significant downside risks faced by companies undertaking digital transformation (see below), but often not explicitly recognized. Boards and C-suites have been happy with the productivity and cost savings benefits of such outsourcing, but it has come at the expense of security for many companies.