TrustedSec - Critical Exposure in Citrix ADC (NetScaler) – Unauthenticated Remote Code Execution

On December 17, 2019, Citrix released a critical advisory that allows for remote code execution. Advisories like these come out often for organizations, and critical exposures are nothing new for any company. However, when digging into the remediation step details, this advisory gave a substantial amount of information on the exploit itself. What makes this substantially worse is that there is no direct patch for this issue. Citrix has released mitigation steps for CVE-2019-19781, which requires a number of direct commands through the interface to address the issue.

TrustedSec can confirm that we have a 100% fully working remote code execution exploit that is able to directly attack any Citrix ADC server from an unauthenticated manner. Based on the information already provided in the workaround, the exploit itself was relatively trivial and allows for the ability to compromise the underlying operating system. The exposure is contained within a vulnerable parameter that allows for directory traversal and the ability to call poorly written scripts.

A screenshot of a cell phone Description automatically generated

It is advised that anyone leveraging Citrix ADC (NetScalers) should follow the links at the bottom of this post (specifically, the mitigation efforts to address this vulnerability) immediately. We are aware of large scanning efforts already occurring across the globe in an effort to map NetScalers for this specific vulnerability and exposure.

The workarounds are focused on eliminating directory traversals in general and restricting access to the VPNs folder, which contains scripts that allow files to be written (in a specific format) to later be called for remote code execution.

add
responder policy ctx267027
"HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\")
&& (!CLIENT.SSLVPN.IS_SSLVPN ||
HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))"
respondwith403

Impacted Systems:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Supporting Links:

https://support.citrix.com/article/CTX267027

https://support.citrix.com/article/CTX267679

https://nvd.nist.gov/vuln/detail/CVE-2019-19781#vulnCurrentDescriptionTitle

The post Critical Exposure in Citrix ADC (NetScaler) – Unauthenticated Remote Code Execution appeared first on TrustedSec.



from TrustedSec https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/

Comments

Post a Comment

Popular posts from this blog

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"

Image
Eric Howes , KnowBe4 Principal Lab Researcher, found out about another insidious bad guy trick: " If you work in IT there has undoubtedly come a dark moment when you wondered to yourself just who among your employee users would be gullible enough to click through a phishing email and potentially bring down your organization. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/when-users-add-their-names-to-a-wall-of-shame
Read more

Krebs - NY Charges First American Financial for Massive Data Leak

Image
In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties. First American Financial Corp. Santa Ana, Calif.-based  First American [ NYSE:FAF ] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019 . As first reported here last year , First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. The docum
Read more

SBS CyberSecurity - In The Wild 166

Image
  In The Wild - CyberSecurity Newsletter Welcome to the 166 th issue of In The Wild, SBS’ weekly CyberSecurity newsletter. The objective of this newsletter is to share threat intelligence, news articles that are relevant, new and updated guidance, and other information to help you make better cybersecurity decisions. Follow SBS CyberSecurity on Social Media for more articles, stories, news, and resources!           Below, you will find some of the latest-and-greatest news stories, articles, videos, and links from the past week in cybersecurity. Some of the following stories have been shared by consultants, others by the SBS Institute, and others yet simply been found in the far corners of the Internet. We hope you find the following stories relevant, interesting, and – most of all – useful. Enjoy. CyberRiskNOW Virtual Conference SBS Educational Resources This virtual conference is designed to provide interactive training on evo
Read more