Citrix (NetScaler) Gateway servers in Australia vulnerable to CVE-2019-19781

//Blogs - 24 Apr 2020

Citrix (NetScaler) Gateway servers in Australia vulnerable to CVE-2019-19781

Version 1.2

NB. The information in this blog is provided as is and will be updated according to the situation as it evolves.

1.2 Available patch for Citrix ADC versions 11.1 and 12.0 [20th January 2020]
1.1 Citrix notes that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided. [17th January 2020]
1.0 Initial publication [14th January 2020]

Summary

Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler Gateway) servers in Australia are vulnerable to CVE-2019-19781.
AusCERT has received information from a trusted third party source [1] about opportunistic scans being performed.
Constituents are being contacted about the vulnerability and the applicable mitigation [2][3][4].
This blog post also serves as a general notice; issued for all who own and operate the vulnerable appliance.
Update v1.1: Citrix notes that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided.
Update v1.2: Patches being made available for Citrix ADC versions 11.1 and 12.0 [13]

Description

Citrix (NetScaler) endpoints are vulnerable to CVE-2019-19781 affecting the following products[5]:
o Citrix ADC and Citrix Gateway version 13.0 all supported builds
o Citrix ADC and NetScaler Gateway version 12.1 all supported builds
o Citrix ADC and NetScaler Gateway version 12.0 all supported builds (Patch issued from Citrix)[13]
o Citrix ADC and NetScaler Gateway version 11.1 all supported builds (Patch issued from Citrix)[13]
o Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Unauthenticated Remote Code execution has been demonstrated to exploit CVE-2019-19781 have been posted on GitHub by Project Zero India[6] and TrustedSec[7].

A summary report is available from BadPackets[1].

A notification is available from US-CERT[8] and has been reported in the media by Bleeping Computer[9].

Testing Vulnerability

Proof-of-Concept (PoC) to validate CVE-2019-19781 without extracting sensitive information.

A successful “HTTP 200/OK” response to this scan indicates the Citrix (NetScaler) server is vulnerable to further attacks.

curl -k -I --path-as-is https://<IP_address>/vpn/../vpns/cfg/smb.conf

Suggested Mitigation

Patch is currently available from Citrix only for ADC versions 11.1 and 12.0,[13] and it is expected that further firmware updates be made available by the end of January 2020.

Citrix has provided mitigations steps to prevent further compromise[3]. Note that builds of ADC Release 12.1 prior to 51.16/51.19 and 50.31 are vulnerable even with the mitigation steps provided, so be sure that you are running a safe version.