24 Apr 2020
Blogs
Citrix (NetScaler) Gateway servers in Australia vulnerable to CVE-2019-19781
Version 1.2
NB. The information in this blog is provided as is and will be updated according to the situation as it evolves.
- 1.2 Available patch for Citrix ADC versions 11.1 and 12.0 [20th January 2020]
- 1.1 Citrix notes that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided. [17th January 2020]
- 1.0 Initial publication [14th January 2020]
Summary
- Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers in Australia are vulnerable to CVE-2019-19781.
- AUSCERT has received information from a trusted third party source [1] about opportunistic scans being performed.
- Constituents are being contacted about the vulnerability and the applicable mitigation [2][3][4].
- This blog post also serves as a general notice; issued for all who own and operate the vulnerable appliance.
- Update v1.1: Citrix notes that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided.
- Update v1.2: Patches being made available for Citrix ADC versions 11.1 and 12.0 [13]
Description
Citrix (NetScaler) endpoints are vulnerable to CVE-2019-19781 affecting the following products[5]:
o Citrix ADC and Citrix Gateway version 13.0 all supported builds
o Citrix ADC and NetScaler Gateway version 12.1 all supported builds
o Citrix ADC and NetScaler Gateway version 12.0 all supported builds (Patch issued from Citrix)[13]
o Citrix ADC and NetScaler Gateway version 11.1 all supported builds (Patch issued from Citrix)[13]
o Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Unauthenticated Remote Code execution has been demonstrated to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India[6] and TrustedSec[7].
A summary report is available from BadPackets[1].
A notification is available from US-CERT[8] and has been reported in the media by Bleeping Computer[9].
Testing Vulnerability
Proof-of-Concept (PoC) to validate CVE-2019-19781 without extracting sensitive information.
A successful “HTTP 200/OK” response to this scan indicates the Citrix (NetScaler) server is vulnerable to further attacks.
curl -k -I --path-as-is https://<IP_address>/vpn/../vpns/cfg/smb.conf
Suggested Mitigation
Patch is currently available from Citrix only for ADC versions 11.1 and 12.0,[13] and it is expected that further firmware updates be made available by the end of January 2020.
Citrix has provided mitigations steps to prevent further compromise[3]. Note that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided, so be sure that you are running a safe version.
Remediation Actions
A forensic guide is available from Trusted Sec to find evidence of a compromise[10].
Talos has issued out snort rules[11] to detect the exploit.
A Suricata rule for this emerging threat is also available[12].
Reference and Credits
[1] Badpackets https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/
[2] Citrix Advisory https://support.citrix.com/article/CTX267027
[3] Mitigation Steps for CVE-2019-19781 https://support.citrix.com/article/CTX267679
[4] AUSCERT ESB-2019.4708 https://portal.auscert.org.au/bulletins/ESB-2019.4708/
[5] Reddit https://www.reddit.com/r/sysadmin/comments/en5y8l/multiple_exploits_for_cve201919781_citrix/
[6] Project Zero India https://github.com/projectzeroindia/CVE-2019-19781
[7] Trustedsec Github https://github.com/trustedsec/cve-2019-19781
[9] Bleeping Computers https://www.bleepingcomputer.com/news/security/cisa-releases-test-tool-for-citrix-adc-cve-2019-19781-vulnerability/
[10] Trusted Sec Forensic Guide https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/
[11] Talos https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html
[12] Suricata Emerging Threats https://rules.emergingthreats.net/open/
[13] Vulnerability Update: First permanent fixes available, timeline accelerated https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/
