Recently, a list of potentially compromised wildcard certificate names was referenced in an article and uploaded to GitHub. The list was massive: over 12000 wildcard addresses exposed from all over the globe. But what does the list mean, and what should you do?
Here is what we know about the list in question:
- It is no longer available via GitHub.
- The list was generated between January 9th and January 10th through an automated scan.
- The list represents wildcard certs that were potentially exposed and not necessarily compromised.
Based on what we know regarding the timeline of events, it is very possible that your organization ran the remediation steps shortly after this list was generated but before the vulnerability was exposed by the various exploit scanners. Still, in an abundance of caution, your organization should consider reissuing your wildcard certificate. This can be a daunting task, since wildcard certs are an easy way to manage certificates across an organization and can find their way into nearly every service.
Alchemy’s recommendations for reissuing and replacing the certificate on the ADC are as follows:
- Generate a new wildcard Certificate Signing Request (CSR) on your platform of choice.
- Contact your certificate provider to have the cert reissued with the new CSR. It is important that the new certificate is issued without revoking the one being replaced, otherwise services outside of the ADC may fail.
- Import the certificate (and any intermediates required to complete the cert chain).
- Unbind the existing wildcard keypair and bind the new wildcard keypair to any service using the potentially exposed certificate.
- Test and migrate the remaining  services outside of the ADC to the new wildcard certificate.
- Revoke the potentially exposed certificate.
As always, our Alchemists are available to assist. Please contact us at netscaler.vulnerability@alchemytechgroup.com or contact your Alchemy sales representative as soon as possible.
Reference links:
Original link for list (now defunct) – https://github.com/tijlvdb/wildcarded-citrix-2020/blob/master/exposed_wildcards.txt
Reddit comment regarding list in question – https://www.reddit.com/r/Citrix/comments/ey93oi/exposed_wildcard_certificates_citrix_netscaler/fgkgxlf?utm_source=share&utm_medium=web2x
Timeline data and remediation steps – https://www.poppelgaard.com/cve-2019-19781-what-you-should-know-and-how-to-fix-your-citrix-adc-access-gatewayÂ
