Jump to content
Welcome to our new Citrix community!

CVE-2019-19781


Myoe Minn Htike

Recommended Posts

The policy to mitigate is to prevent access via any ip (VIP such as vpn vserver or management enabled nsip/snips).  The nsapimgr command ensures the globally bound responder policy (which protects all web requests via any vip) would also apply to management ips.  At the moment, the recommendation is to protect all ingress points.

Link to comment
Share on other sites

All Management IPs/ AAA VIPs/ Gateway VIPs exposed to the Internet are at risk. NetScaler Gateway setup in ICA proxy mode is also affected.
The reboot  is not necessary to apply the policy but it is a precautionary step to ensure that if there are any open sessions, obtained via the vulnerability.

Edited by dkrause505
Update from Citrix tech support
Link to comment
Share on other sites

9 minutes ago, Tracey Penston said:

When trying to apply to NS11.1.59.10,

shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" comes back with a Syntax error: Unterminated Quoted String

 

Any ideas, I cant see an issue, and it worked fine on my Ns13.0.36.27 versions.

 

 

Hi, I also get this message when i delete a ' or " character. Please double check that you don't miss one of them.

shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 >> /nsconfig/rc.netscaler"
Syntax error: Unterminated quoted string

I deleted ' behind skip_systemaccess_policyeval=0

 

Link to comment
Share on other sites

1 minute ago, Tracey Penston said:

thanks, but no all are there,

I copied and pasted the line from the document,

also tried putting into Notepad and removing and re typing the " and ' but still no joy.

 

works fine for the newer version just the v11.1 that I am having this issue on

 

OK, maybe it's a bug. Did you already test via "command line interface" under Configuration -> System -> Diagnostics -> Utilities ?

Link to comment
Share on other sites

6 minutes ago, Tracey Penston said:

I did, tried via there, and by using Putty to the console, and get the same.

Thanks for your help.

 

 

What about going to shell and just send command below. Also try with doublequotes " instead '

echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler

It's crazy because I have a 11.1 59.10 here and it works fine.

Link to comment
Share on other sites

  • 3 weeks later...

Patching and mitigation will be probably not enough. You have to re-check and control all your appliances.
In our case, we found some compromised appliance, we decide to restore instances (or re-image instances) from 1st week of december before the CVE-2019-19781 publication, implement the mitigation proposed by Citrix, revoke/renew certificates + reset of all passwords involved with NetScaler + reset of all administrative accounts with priviledges.. Recontrol everything after remediation.

Read carefully these both articles for the verification steps and other recommandations

https://www.poppelgaard.com/cve-2019-19781-what-you-should-know-and-how-to-fix-your-citrix-adc-access-gateway

Read also this one, not so funny :

https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html

 

Link to comment
Share on other sites

10 hours ago, Etienne Coppin said:

Patching and mitigation will be probably not enough. You have to re-check and control all your appliances.
In our case, we found some compromised appliance, we decide to restore instances (or re-image instances) from 1st week of december before the CVE-2019-19781 publication, implement the mitigation proposed by Citrix, revoke/renew certificates + reset of all passwords involved with NetScaler + reset of all administrative accounts with priviledges.. Recontrol everything after remediation.

Read carefully these both articles for the verification steps and other recommandations

https://www.poppelgaard.com/cve-2019-19781-what-you-should-know-and-how-to-fix-your-citrix-adc-access-gateway

Read also this one, not so funny :

https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html

 

 

Hi Etienne,

why you don't explain why it is "probably" not enough?
The first link is 404 is the second is so long, that almost nobody has time to read all this.

 

Please correct me if I'm wrong but the tldr of second link is:

- Don't worry if you did the mitigation before 10. January.

- Worry and check all your devices if you did the mitigation after 10. January as described in section "Check if you are compromised"

 

Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...