Jump to content
Welcome to our new Citrix community!

Mitigation Steps for CVE-2019-19781


Recommended Posts

VPX on the SDX with the following versions will be affected follow https://support.citrix.com/article/CTX267679 

• Citrix ADC and Citrix Gateway version 13.0 all supported builds

• Citrix ADC and NetScaler Gateway version 12.1 all supported builds

• Citrix ADC and NetScaler Gateway version 12.0 all supported builds

• Citrix ADC and NetScaler Gateway version 11.1 all supported builds

• Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Link to comment
Share on other sites

The SDX itself is not vulnerable as it doesn't host the /vpns/ paths.  Just the VPX instances running on top of it.

 

The responder policy and the settings to apply it to global management ips, is fairly constrained to specific types of requests with references to the /vpns/ directory if not the vpn client or containing a directory browse ".." reference.  The risk to legitimate traffic is low and should not interfere with normal gateway style access, with the exception of preventing access tot the vpn client downloads page in the GUI (noted at bottom of article)...I don't know if this impacts the delivery of the vpn client to users, but an alternate client distribution mechanism could be employed if it does.  The attack prevention is effective until an update can be released.  Its still recommend that you test the config after deploying the mitigation, but I think you are better off with the responder policy while waiting on the build update.

 

For when an updated build will be available. But subscript to the NetScaler security alerts and keep an eye on this arrticle and the original security bulletin for when updates are available.  (Hopefully someone from Citrix can give you more info if you are still concerned.)

 

Security bulletin for reference:  https://support.citrix.com/article/CTX267027

Link to comment
Share on other sites

  • 3 weeks later...
On 1/11/2020 at 2:21 PM, Kevin Harris1709161607 said:

We applied the required mitigation and assumed we were protected. Today someone finally released the code to test (cUrl command ) and upon testing our gateways we discovered they are still vulnerable!?!?

 

I'm on hold now with Citrix for 40+ mins trying to get this resolved. Anyone else run into this?

what code did you use to test? 

Link to comment
Share on other sites

Patching and mitigation will be probably not enough. You have to re-check and control all your appliances.
In our case, we decide to restore instances (or re-image instances) from 1st week of december before the CVE-2019-19781 publication, implement the miyigation proposed by Citrix, revoke/renew certificates + reset of all passwords involved with NetScaler + reset of all administrative accounts with priviledges. Read carefully these both articles

https://www.poppelgaard.com/cve-2019-19781-what-you-should-know-and-how-to-fix-your-citrix-adc-access-gateway

https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html

 

Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...