Alert Logic® is actively researching a vulnerability (CVE-2019-19781) in Citrix Application Delivery Controller (ADC) and Citrix Gateway, formerly known as NetScaler ADC and NetScaler Gateway, respectively. This unauthenticated remote code execution (RCE) vulnerability allows attackers to remotely control victim hosts and execute code, install persistence, and laterally move throughout the network. Exploit code has been released into the public domain, and we have observed active attacks against our customer base using this vulnerability.
There is currently no patch available, but Citrix has recommended mitigation steps. Customers running a vulnerable version of the software should follow Citrix’s mitigation recommendations and apply patches as they become available.
Since the release of the proof of concept (POC), the Alert Logic Security Operations Center has been actively hunting for exploits of this threat through our existing exploit signatures and post-compromise telemetry, and alerting customers to any evidence of exploit.
Vulnerability Description
CVE-2019-19871 was announced by Citrix on December 17, 2019, and a POC was made widely available on January 10, 2020. The core flaw is directory traversal that allows the attacker access to a file that results in the RCE. In the specific POC case, the accessed file is /vpn/../vpns/portal/scripts/newbm.pl and this file allows the attacker to write an arbitrary file to the server's filesystem. Follow on access to that file will trigger execution.
Since this is an unauthenticated attack, no prior information is needed to exploit a victim host. This attack is manually invoked by the attacker using existing POC or derivative.
The vulnerability affects all supported product versions and all supported platforms:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
For more information on CVE-2019-19781, refer to the security bulletin released by Citrix.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic has developed vulnerability scan coverage to identify vulnerable assets.
Network IDS: Alert Logic has developed specific IDS signatures to enable efficient monitoring by the Alert Logic Security Operations Center.
Web Application Firewall: Alert Logic web application firewall general signatures will detect most attacks targeted at exploiting CVE-2019-19781. More specific coverage can be provided on request. If the Alert Logic inline web application firewall is in Protect mode, it will also block these attacks. However, since Citrix is an ADC with web application firewall functionality, it is not likely that Alert Logic web application coverage is deployed in front of Citrix and, therefore, will not see traffic destined for the Citrix ADC.
Log Management: At this time, it is not expected that log detection is appropriate for this threat; however, Alert Logic will continue this assessment.
Recommendations for Mitigation
It is strongly recommended that you follow Mitigation Steps for CVE-2019-19871 published by Citrix on their support site until a patch becomes available. Citrix has announced the following patch schedule. For more information, refer to the security bulletin released by Citrix.
Version |
Refresh Build |
Expected Release Date |
10.5 |
10.5.70.x |
31st January 2020 (Updated to January 24) |
11.1 |
11.1.63.x |
20th January 2020 (Released) |
12.0 |
12.0.63.x |
20th January 2020 (Released) |
12.1 |
12.1.55.x |
27th January 2020 (Updated to January 24) |
13.0 |
13.0.47.x |
27th January 2020 (Updated to January 24) |
Updates
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click the FOLLOW button at the top of the article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.
January 21, 2020: Permanent fixes for Citrix ADC versions 11.1 and 12.0 are available as downloads from Citrix. For more information, refer to updates provided by Citrix.
Additionally, Citrix has moved forward the availability of permanent fixes for other ADC versions as follows:
- ADC version 12.1, now January 24
- ADC version 13 and ADC version 10.5, now January 24
Comments
1 comment
Permanent fixes for Citrix ADC versions 11.1 and 12.0 are now available as downloads from Citrix. For more information, refer to updates provided by Citrix.
Additionally, Citrix has moved forward the availability of permanent fixes for other ADC versions as follows:
Please sign in to leave a comment.