//Blogs - 24 Apr 2020
Citrix (NetScaler) Gateway servers in Australia vulnerable to CVE-2019-19781
NB. The information in this blog is provided as is and will be updated according to the situation as it evolves.
- 1.2 Available patch for Citrix ADC versions 11.1 and 12.0 [20th January 2020]
- 1.1 Citrix notes that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided. [17th January 2020]
- 1.0 Initial publication [14th January 2020]
- Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers in Australia are vulnerable to CVE-2019-19781.
- AusCERT has received information from a trusted third party source  about opportunistic scans being performed.
- Constituents are being contacted about the vulnerability and the applicable mitigation .
- This blog post also serves as a general notice; issued for all who own and operate the vulnerable appliance.
- Update v1.1: Citrix notes that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided.
- Update v1.2: Patches being made available for Citrix ADC versions 11.1 and 12.0 
Citrix (NetScaler) endpoints are vulnerable to CVE-2019-19781 affecting the following products:
o Citrix ADC and Citrix Gateway version 13.0 all supported builds
o Citrix ADC and NetScaler Gateway version 12.1 all supported builds
o Citrix ADC and NetScaler Gateway version 12.0 all supported builds (Patch issued from Citrix)
o Citrix ADC and NetScaler Gateway version 11.1 all supported builds (Patch issued from Citrix)
o Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Unauthenticated Remote Code execution has been demonstrated to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India and TrustedSec.
A summary report is available from BadPackets.
A notification is available from US-CERT and has been reported in the media by Bleeping Computer.
Proof-of-Concept (PoC) to validate CVE-2019-19781 without extracting sensitive information.
A successful “HTTP 200/OK” response to this scan indicates the Citrix (NetScaler) server is vulnerable to further attacks.
curl -k -I --path-as-is https://<IP_address>/vpn/../vpns/cfg/smb.conf
Patch is currently available from Citrix only for ADC versions 11.1 and 12.0, and it is expected that further firmware updates be made available by the end of January 2020.
Citrix has provided mitigations steps to prevent further compromise. Note that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided, so be sure that you are running a safe version.
A forensic guide is available from Trusted Sec to find evidence of a compromise.
Talos has issued out snort rules to detect the exploit.
A Suricata rule for this emerging threat is also available.
Reference and Credits
 Citrix Advisory https://support.citrix.com/article/CTX267027
 Mitigation Steps for CVE-2019-19781 https://support.citrix.com/article/CTX267679
 AusCERT ESB-2019.4708 https://www.auscert.org.au/bulletins/ESB-2019.4708/
 Project Zero India https://github.com/projectzeroindia/CVE-2019-19781
 Trustedsec Github https://github.com/trustedsec/cve-2019-19781
 Trusted Sec Forensic Guide https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/
 Suricata Emerging Threats https://rules.emergingthreats.net/open/
 Vulnerability Update: First permanent fixes available, timeline accelerated https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/