Wildcard certificates on Citrix

Report DIVD-2020-00002 - Wildcard certificates on Citrix

Written on 11 Nov 2020 by Jeroen van de Weerd

Case lead: Frank Breedijk
Case file: DIVD-2020-00002

In January 2020, the DIVD Security Hotline sent a large number of notifications to organizations that owned a vulnerable Citrix ADC server. In order to fix this vulnerability, Citrix made a number of patches available. The Dutch Security Hotline has advised to implement these patches and other mitigating measures as soon as possible.

Further analysis of the data DIVD was working on showed that more than 450 of the 700 identified vulnerable Citrix systems were using so-called wildcard certificates, which are TLS certificates that are valid for all subdomains within a domain.

The use of wildcard certificates for several subdomains on different servers introduces new security risks. For example, if one of the servers is hacked, it is possible that the wildcard certificate will be compromised by the attacker, lowering the confidentiality and integrity of the traffic to any location where the certificate is used. Any attacker who has the certificate could be able to decrypt, read or modify the traffic and re-encrypt it. A compromised certificate could for example also be used for (sub)domain spoofing. To minimize the damage of a possible server hack, each server should have a unique certificate that is only valid for the sub-domains and sites it hosts.

On 22-01-2020 the DIVD Security Hotline sent 1.350 emails to abuse@, info@ and security@ of the involved domains with the urgent advice to revoke these certificates and to install new non-wildcard certificates. This data was shared with the NCSC. No further questions arose from this.

After our notification, we could see a significant drop in the amount of wildcard certificates and the number of IP addresses that were still vulnerable. As no further questions were asked by the organisations we reported our findings to, we decided to close this case.