Citrix quietly restores vulnerability credits to Positive Technologies researchers after Russian infosec firm’s erasure

One of two deleted credits was for the most frequently targeted flaw of 2020

A Russian cybersecurity firm subject to US government sanctions has hailed the restoration of vulnerability credits to its security researchers after they were mysteriously removed from security advisories by Citrix.

On Monday (August 23), Positive Technologies tweeted that acknowledgements for the discovery of security flaws in Citrix products by Mikhail Klyuchnikov and Andrey Medov had been excised from separate advisories published by the cloud computing, application virtualization, and networking giant.

“@Citrix we will be pleased to hear your response,” added the Moscow-based firm.

As of yesterday (August 24) – a day later – Citrix had quietly restored the credits.

US Census Bureau hack

Mikhail Klyuchnikov’s acknowledgement, which is now restored alongside those of two Paddy Power Betfair developers, was in relation to the discovery of a zero-day vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway in late 2019.

CVE-2019-19781 allowed an unauthenticated attacker to perform arbitrary code execution on a network, potentially allowing access to private network resources without requiring authentication.

The critical vulnerability (CVSS 9.8) was behind the failed hack of US Census Bureau systems in January, and was last month described in a joint cybersecurity advisory from the US, UK, and Australia as the most regularly-targeted flaw during 2020.

Andrey Medov, meanwhile, reported a high severity flaw in the Citrix XenMobile Server Path Traversal in February 2020 (CVE-2020-8209).

Tweeting yesterday, Positive Technologies said: “Citrix has restored the acknowledgment of our researchers in its advisories! We would like to express our gratitude to the community for your support and making information security more transparent.”

‘Groundless’ accusations

While Citrix hasn’t yet responded to our questions about the withdrawal and restoration of the acknowledgements, at least one industry professional has speculated that the answer may lie with the US government.

In April, under a new Executive Order, the US Treasury announced targeted sanctions on technology companies that it claimed supported the Russian intelligence services’ efforts to carry out malicious cyber activities against the US.

Positive Technologies, whose website numbers Samsung, Allianz, and Societe Generale among its clients, has denied the accusations, which it describes as “groundless”.

As previously reported by Forbes, Positive Technologies’ majority owner Yury Maksimov has said his company only provides defensive services to Russia’s Ministry of Defense and FSB – and would happily do the same for its US counterparts.

The US government also claimed Positive Technologies “hosts large-scale conventions that are used as recruiting events for the FSB and GRU [Russian military intelligence]”.

Positive Technolgies has described its annual Positive Hack Days (PHDays) event as “a public platform for the exchange of expertise, learning, and advanced training in cybersecurity” that “attracts thousands of cybersecurity and business experts from different countries”.

It added: “Our researchers detect hundreds of zero-day vulnerabilities per year in IT systems of various classes and types. All of the vulnerabilities found, without exception, are provided to the software manufacturers as part of the responsible disclosure policy and are not made public until the necessary updates are released.”

The Daily Swig has contacted Citrix for an explanation of its removal and restoration of the credits, and we will update the story if and when we receive a reply.

YOU MIGHT ALSO LIKE Whistleblowing security researchers deny ‘inappropriate access’ to Indiana Covid-19 survey data