24 Apr 2020

Blogs

Citrix (NetScaler) Gateway servers in Australia vulnerable to CVE-2019-19781

Version 1.2

NB. The information in this blog is provided as is and will be updated according to the situation as it evolves.

  • 1.2 Available patch for Citrix ADC versions 11.1 and 12.0 [20th January 2020]
  • 1.1 Citrix notes that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided. [17th January 2020] 
  • 1.0 Initial publication [14th January 2020]

Summary

  • Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers in Australia are vulnerable to CVE-2019-19781.
  • AUSCERT has received information from a trusted third party source [1] about opportunistic scans being performed.
  • Constituents are being contacted about the vulnerability and the applicable mitigation [2][3][4].
  • This blog post also serves as a general notice; issued for all who own and operate the vulnerable appliance.
  • Update v1.1: Citrix notes that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided.
  • Update v1.2:  Patches being made available for Citrix ADC versions 11.1 and 12.0 [13]

 

Description

Citrix (NetScaler) endpoints are vulnerable to CVE-2019-19781 affecting the following products[5]:
o Citrix ADC and Citrix Gateway version 13.0 all supported builds
o Citrix ADC and NetScaler Gateway version 12.1 all supported builds
o Citrix ADC and NetScaler Gateway version 12.0 all supported builds (Patch issued from Citrix)[13]
o Citrix ADC and NetScaler Gateway version 11.1 all supported builds (Patch issued from Citrix)[13]
o Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Unauthenticated Remote Code execution has been demonstrated to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India[6] and TrustedSec[7].

A summary report is available from BadPackets[1].

A notification is available from US-CERT[8] and has been reported in the media by Bleeping Computer[9].

Testing Vulnerability

Proof-of-Concept (PoC) to validate CVE-2019-19781 without extracting sensitive information.

A successful “HTTP 200/OK” response to this scan indicates the Citrix (NetScaler) server is vulnerable to further attacks.

curl -k -I --path-as-is https://<IP_address>/vpn/../vpns/cfg/smb.conf

 

Suggested Mitigation

Patch is currently available from Citrix only for ADC versions 11.1 and 12.0,[13] and it is expected that further firmware updates be made available by the end of January 2020.

Citrix has provided mitigations steps to prevent further compromise[3]. Note that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided, so be sure that you are running a safe version.

 

Remediation Actions

A forensic guide is available from Trusted Sec to find evidence of a compromise[10].

Talos has issued out snort rules[11] to detect the exploit.

A Suricata rule for this emerging threat is also available[12].

Reference and Credits

[1] Badpackets https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/

[2] Citrix Advisory https://support.citrix.com/article/CTX267027

[3] Mitigation Steps for CVE-2019-19781 https://support.citrix.com/article/CTX267679

[4] AUSCERT ESB-2019.4708 https://portal.auscert.org.au/bulletins/ESB-2019.4708/

[5] Reddit https://www.reddit.com/r/sysadmin/comments/en5y8l/multiple_exploits_for_cve201919781_citrix/

[6] Project Zero India https://github.com/projectzeroindia/CVE-2019-19781

[7] Trustedsec Github https://github.com/trustedsec/cve-2019-19781

[8] US-CERT https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability

[9] Bleeping Computers https://www.bleepingcomputer.com/news/security/cisa-releases-test-tool-for-citrix-adc-cve-2019-19781-vulnerability/

[10] Trusted Sec Forensic Guide https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/

[11] Talos https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html

[12] Suricata Emerging Threats https://rules.emergingthreats.net/open/

[13] Vulnerability Update: First permanent fixes available, timeline accelerated https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/