Threat Response: Citrix Gateway/ADC RCE (CVE-2019-19781)

14-1-2020

On December 17, 2019, Citrix has announced that a vulnerability exists in current versions of Citrix Application Delivery Controller (ADC, formerly known as NetScaler ADC), and Citrix Gateway (formerly known as NetScaler Gateway) [1]. This exploit, that is registered as CVE-2019-19781 (CVSS score: 9.8) [3], can lead to remote code execution without the need to authenticate. Last weekend, multiple ways for exploiting the vulnerability have been published [4]. Therefore, we want to inform you about the threats and the possible mitigations regarding this vulnerability.

Description

Citrix has not yet provided a full overview of the vulnerability. By reviewing the mitigation steps, it can be reasoned that the vulnerability is related to the handling of requests that misuse “directory traversal”. This technique can be used by an attacker to retrieve files stored inside folders that should normally not be accessible. The following products are affected:

Citrix ADC en Gateway, versions:

  • 13.0
  • 12.1
  • 12.0
  • 11.1
  • 10.5 (NetScaler ADC / NetScaler Gateway)

The following timeline of events can be established:

17-12-2019:

  • Citrix notifies about the vulnerability registered as CVE-2019-19781. A CVSS score of 9.8 is assigned.

11-01-2020:

  • Multiple methods for exploiting the vulnerability appear on the internet
  • Citrix publishes mitigation steps on their website

Risk

At this moment, the vulnerability is actively being exploited. An attacker does not require physical access to an affected device. Furthermore, a successful attack can lead to remote code execution. Based on the combination of these factors, Northwave states the risk of this vulnerability to be high.

Mitigation

Citrix is working on a fix for this vulnerability, which will appear in an update, which is not yet available. An expected timeline for this update has been made public, with the first updates to be expected at 20 January.

For now, Citrix has outlined mitigation steps that can be performed to mitigate the risk [2]. Northwave strongly recommends to execute these steps on affected devices as soon as possible. The mitigation steps differ per setup type, but for a standalone machine, the commands to be executed are as follows:

enable ns feature responder
add responder action respondwith403 respondwith ""HTTP/1.1 403 Forbiddenrnrn""
add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS("/vpns/") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS("/../"))" respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
save config

For other setup types, we kindly refer to the Citrix support page [2].

If you need additional information you can call us by phone or send us an email.

Phone number: 030-3031244 (during business hours)
E-mail: [email protected]

Do you have an incident right now? Call our CERT number: 0800-2255 2747

Sources

[1]: Description of the vulnerability, Citrix: https://support.citrix.com/article/CTX267027

[2]: Mitigation steps, Citrix: https://support.citrix.com/article/CTX267679

[3]: CVE page: https://nvd.nist.gov/vuln/detail/CVE-2019-19781

[4]: https://www.bleepingcomputer.com/news/security/citrix-adc-cve-2019-19781-exploits-released-fix-now/

[5]: NCSC Advice: https://www.ncsc.nl/actueel/advisory?id=NCSC-2019-0979

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.