Citrix NetScaler (ADC) vulnerability CVE-2019-19781

netscaler_logo2

For those that are not aware, but vulnerability (CVE-2019-19781) has come up , which affects Citrix ADC and Citrix Gateway which essentially allows an unauthenticated attacker to run arbitrary code on the appliances. NOTE: That the vulnerability is leveraging the NetScaler ADC Gateway feature, since it is part of the VPN folder which is accessable when feature is enabled. 

NOTE: Exploit has now been published https://github.com/trustedsec/cve-2019-19781

NOTE: A tentative timeline for the firmware releases that will close the vurneability has been published in the support article, so in the meantime you need to apply the mitigation fix.

B18D3E6A-31A5-47C8-97B8-00504CC3397F

NOTE: This vulnerability only applies for NetSCalers that have the VPN / Gateway Service enabled. If you are using NetScaler/ADC For Load balancing only or other services this does not apply.

NOTE: You can check under /netscaler/portal/templates/ if there has been any activity, both PoC’s also generate XML files under this folder.

You can see example payloads 

<?xml version=”1.0″ encoding=”UTF-8″?> <user username=”../../../netscaler/portal/templates/somuniquestr”>   <bookmarks>     <bookmark UI_inuse=”” descr=”[% template.new(‘BLOCK’ = ‘print `cat /etc/passwd`’) %] ” title=”somuniquestr” url=”http://example.com” />     <bookmark UI_inuse=”” descr=”[% template.new(‘BLOCK’ = ‘print `cat /etc/passwd`’) %] ” title=”somuniquestr” url=”http://example.com” />     <bookmark UI_inuse=”” descr=”[% template.new(‘BLOCK’ = ‘print `cat /etc/passwd`’) %] ” title=”somuniquestr” url=”http://example.com” />

<?xml version=”1.0″ encoding=”UTF-8″?> <user username=”/../../../../../../../../../../netscaler/portal/templates/JrEamp3HoKnT”>   <bookmarks>     <bookmark UI_inuse=”” descr=”[% template.new({‘BLOCK’=’print `cat /flash/nsconfig/ns.conf`’}) %]\” title=”JrEamp3HoKnT\” url=”https://www.google.com\” />   </bookmarks>

We are now seeing more exploit attempts per hour (source from twitter)

Positive Technologies reported the vulnerability to Citrix in early December, and has not posted the exploit online, but there are active exploits in the wild now.

 

You can read it in detail here –> https://support.citrix.com/article/CTX267027Av

“A vulnerability has been identified in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, as well as in Citrix Gateway, formerly known as NetScaler Gateway. This CVE-2019-19781 vulnerability, if exploited, could allow an unauthenticated party to perform arbitrary code execution. This issue impacts all ADC and ADC Gateway versions 10.5 through 13.0.”

Since this affects versions 10.5 trough 13.0 one can only assume that the vulnerability came with the introduction of the new gateway features that were part of the 10.5 version when Citrix released that a while ago.

Citrix has also created some mitigation steps –> https://support.citrix.com/article/CTX267679 but it should be noted that these steps only apply for the regular NetScaler or ADC licenseand note for those with Gateway only license which are used for ICA-Proxy or remote access, these mitigation steps do not apply, since it requires an feature which is not available on that license. Citrix has not yet made a patch that will fix the issue.

The mititagion steps essentially add an responder policy on a global level to prohibit access to the following folder on the NetScaler ADC appliance /vpns/ and also add the same responder policy to the management UI.

NOTE: Controlup has a script which can also be used to apply the same mitigation to ADC as well –> https://www.controlup.com/script-library/Check-for-Citrix-ADC-CVE-2019-19781-Vulnerability-mitigation/28798fae-7ef9-4263-9834-031cefe6f3d6/

NOTE: How can people find affected NetScaler instances? at this time you can even Google just to find NetScaler appliances just by searching for allintitle:Citrix gateway or allintitle:NetScaler gateway

What if if we using Citrix Cloud Gateway? (a.k.a Citrix Gateway Service) is that impacted with the vulnerability ( CVE-2019-19781)? 

Has already been patched https://support.citrix.com/article/CTX269014

 

 

You May Also Like

About the Author: Marius Sandbu

Leave a Reply

Your email address will not be published. Required fields are marked *