CVE-2019-19781 – What you should do and what’s happening around

Last Updated on July 12, 2020

On 17 December 2019, Citrix identified a vulnerability that could allow an unauthenticated attacker to perform arbitrary code execution in Citrix ADC (Application delivery Controller) or NetScaler ADC or NetScaler Gateway. This vulnerability affects Citrix ADC and VPX on any host/SDX. Further investigation by Citrix has shown that this issue also affects certain deployments of Citrix SDWAN, specifically Citrix SDWAN WANOP edition. The vulnerability has been assigned CVE number – CVE-2019-19781.

CVE-2019-19781

Citrix has released mitigation steps that every customer with affected appliance should apply until a fixed refresh build is available. Keep track of the timelines at https://support.citrix.com/article/CTX267027 or you can subscribe to bulletin alerts at https://support.citrix.com/user/alerts.

What You Should Do

  1. Create the Responder Policy on the standalone, HA or Clustered appliances as described in CTX267679
  2. Verify it using using POC exploit by ProjectZeroIndia (shell) or ADC Honeypot (python) or the one provided by CISA (whl – Python extension package for Windows). If the customer doesn’t approve then you can use the Citrix provided verification tool (Python). If that’s not enough then use ICS (Indication of Compromise Scanner) tool that Citrix and FireEye collaboratively developed.
  3. Customers, who have implemented Citrix suggested mitigation steps should execute save config and save nsconfig after creating the responder policy and before rebooting the appliance
  4. Customers, who have implemented Citrix suggested mitigation steps should confirm that there isn’t any other responder policy in global context with Priority 1
  5. Customers, who use Qualys should look for QID 372305 in the vulnerability scans – Check this out
  6. Customers, who use F5 should look for an Attack Signature 200004998 in BIG IP ASM – Check this out.
  1. Customers, who have NetScaler ADC 12.1 build 50.28 should be very vigilant because of an existing issue that affects responder and rewrite policies causing them not to process the packets that matched policy rules

What’s Happening Around

  1. Johannes Ullrich (@johullrich) at SANS Internet Storm Center captured some honeypot logs that show how CVE-2019-19781 is being exploited. Check out this article.
POST //vpns/portal/scripts/newbm.pl?url=[source IP redacted]&title=1232&desc=12312&UI_inuse=RfWeb HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0, no-cache
Origin: http://[honeypot ip redacted]
Pragma: no-cache
Content-Length: 0
  1. Craig Young (@craigtweets) shows how he, with the help of a simple test, was able to identify 39,378 IPs were vulnerable and that list contains high value targets including Finance, Government and Healthcare. Check this out right here.
curl -vk –path-as-is https://$TARGET/vpn/../vpns/ 2>&1 | grep “You don’t have permission to access /vpns/” >/dev/null && echo “VULNERABLE: $TARGET” || echo “MITIGATED: $TARGET”
  1. Shodan has added detection for CVE-2019-19781 to Shodan Monitor.
  1. Dutch National Cyber Security Centrum (NCSC) emphasizes companies to shutdown Citrix ADC and Gateway if mitigation measures provided by Citrix have not been yet taken. NCSC advises some additional mitigation measures that you can read right here.
  2. REvil ransomware gang has been identified to target Citrix Servers. There are unconfirmed rumors that Maze ransomware gang is also attacking Citrix Servers. Read more about it here.

Update 1

Refreshed builds for Citrix ADC versions 12.0 and 11.1 and Citrix Gateway versions 12.0 and 11.1 are out. Download them from https://www.citrix.com/downloads/citrix-adc/ and https://www.citrix.com/downloads/citrix-gateway/.

Citrix ADC and Citrix Gateway

VersionRefresh BuildRelease Date
10.510.5.70.x24th January 2020
11.111.1.63.1519th January 2020 (Released)
12.012.0.63.1319th January 2020 (Released)
12.112.1.55.x24th January 2020
13.013.0.47.x24th January 2020

Citrix SD-WAN WANOP

ReleaseCitrix ADC ReleaseRelease Date
10.2.611.1.51.61524th January 2020
11.0.311.1.51.61524th January 2020

Update 2

Refreshed builds for Citrix ADC versions 12.1 and 13.0 and Citrix Gateway versions 12.1 and 13.0 are out. Download them from https://www.citrix.com/downloads/citrix-adc/ and https://www.citrix.com/downloads/citrix-gateway/ and https://www.citrix.com/downloads/citrix-sd-wan/

Citrix ADC and Citrix Gateway

VersionRefresh BuildRelease Date
10.510.5.70.x24th January 2020
11.111.1.63.1519th January 2020 (Released)
12.012.0.63.1319th January 2020 (Released)
12.112.1.55.x24th January 2020 (Released)
13.013.0.47.x24th January 2020 (Released)

Citrix SD-WAN WANOP

ReleaseCitrix ADC ReleaseRelease Date
10.2.611.1.51.61524th January 2020 (Released)
11.0.311.1.51.61524th January 2020 (Released)

Update 3

Fixed builds have been released across all supported versions of Citrix ADC and Citrix Gateway. Fixed builds have also been released for Citrix SD-WAN WANOP for the applicable appliance models.

Citrix ADC and Citrix Gateway

VersionRefresh BuildRelease Date
10.510.5.70.x24th January 2020 (Released)
11.111.1.63.1519th January 2020 (Released)
12.012.0.63.1319th January 2020 (Released)
12.112.1.55.x24th January 2020 (Released)
13.013.0.47.x24th January 2020 (Released)

Citrix SD-WAN WANOP

ReleaseCitrix ADC ReleaseRelease Date
10.2.611.1.51.61524th January 2020 (Released)
11.0.311.1.51.61524th January 2020 (Released)

Be the first to reply

Leave a Reply