Citrix CVE-2019-19781: The Facts

Citrix CVE-2019-19781 Overview

Citrix announced a vulnerability in the Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway is formerly known as NetScaler Gateway just before the holidays and the vulnerability has recently been targeted by remote attackers for possible exploitation as it’s being scanned for in the wild. A proof of concept exploit code exists which may be used to deliver a variety of payloads. Mitigation steps for this vulnerability have been published by Citrix.

Tactics, Techniques, and Procedures

Citrix products affected by this vulnerability are unable to handle specified web requests leading to the execution of remote code or a possible directory traversal event. Successful exploitation of this vulnerability is not difficult to execute and would result in a bad actor gaining access to internal network resources. Bad actors could use this method to gain initial access to the network before using other methods to move laterally in the environment.

Affected Software Versions:

• Citrix ADC and Citrix Gateway version 13.0 all supported builds
• Citrix ADC and NetScaler Gateway version 12.1 all supported builds
• Citrix ADC and NetScaler Gateway version 12.0 all supported builds
• Citrix ADC and NetScaler Gateway version 11.1 all supported builds
• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

According to Citrix, the patch to this vulnerability will require a firmware update and will likely be available by the end of January.  Mitigation steps are available wherein administrators in your enterprise can enter commands designed for either standalone or high availability set-ups.

In accordance with the SANS forum post, the exploitation method is to start your POST request with either a /VPNs or a //VPNs. Attackers can then supply a configuration file they want to change or a set of instructions they want to run. These scanning attempts appear to originate from automated bots, a common method of probing networks.

Impact

• May lead to the compromise of a critical network appliance which may be a gateway for lateral movement in the environment
• Scanning activity may allow bad actors to enumerate your perimeter devices before launching an attack
• If a successful exploitation event occurs, bad actors may change the Gateway to redirect traffic or gather intelligence on user activity

Recommendations

• Follow the mitigation steps linked below until the patch is released
• Implement the rule linked below in your SIEM device and set it to a high level of criticality
• Subscribe to the Citrix bulletin alerts to get the latest updates on a patch for this vulnerability and other ones in the future

Sources

Bleeping Computer Article:      https://www.bleepingcomputer.com/news/security/attackers-are-scanning-for-vulnerable-citrix-servers-secure-now/

Supporting Documentation:

GitHub Links:

Rule: https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml

Proof of Concept Exploit Code: https://github.com/trustedsec/cve-2019-19781

Citrix Links:

Patch Timeline: https://support.citrix.com/article/CTX267027

Current Mitigation: https://support.citrix.com/article/CTX267679

Bulletin: https://login.citrix.com/?url=https://support.citrix.com/user/alerts

IBM X-Force Exchange Summary: https://exchange.xforce.ibmcloud.com/vulnerabilities/173448

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Contact us for more information about Avertium’s managed detection and response service capabilities.