Citrix CVE-2019-19781 Overview
Citrix announced a vulnerability in the Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway just before holidays and the vulnerability has recently been targeted by remote attackers for possible exploitation as it’s being scanned for in the wild. A proof of concept exploit code exists which may be used to deliver a variety of payloads. Mitigation steps for this vulnerability have been published by Citrix.
Tactics, Techniques, and Procedures
Citrix products affected by this vulnerability are unable to handle specified web requests leading to the execution of remote code or a possible directory traversal event. A successful exploitation of this vulnerability is not difficult to execute and would result in a bad actor gaining access to internal network resources. Bad actors could use this method to gain initial access to the network before using other methods to move laterally in the environment.
Affected Software Versions:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
According to Citrix, the patch to this vulnerability will require a firmware update and will likely be available by the end of January. Mitigation steps are available wherein administrators in your enterprise can enter commands designed for either standalone or high availability set-ups.
In accordance with the SANS forum post, the exploitation method is to start your POST request with either a /vpns or a //vpns. Attackers can then supply a configuration file they want to change or a set of instructions they want to run. These scanning attempts appear to originate from automated bots, a common method of probing networks.
- May lead to the compromise of a critical network appliance which may be a gateway for lateral movement in the environment
- Scanning activity may allow bad actors to enumerate your perimeter devices before launching an attack
- If a successful exploitation event occurs, bad actors may change the Gateway to redirect traffic or gather intelligence on user activity
- Follow the mitigation steps linked below until the patch is released
- Implement the rule linked below in your SIEM device and set it to a high level of criticality
- Subscribe to the Citrix bulletin alerts to get the latest updates on a patch for this vulnerability and other ones in the future
Proof of Concept Exploit Code: https://github.com/trustedsec/cve-2019-19781
Patch Timeline: https://support.citrix.com/article/CTX267027
Current Mitigation: https://support.citrix.com/article/CTX267679
IBM X-Force Exchange Summary: https://exchange.xforce.ibmcloud.com/vulnerabilities/173448
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.