CVE-2019-19781

[Myoe Minn Htike]

Is it only impact from the management interface (or) external internet interface?

[Diego Oliveira]

See:

https://support.citrix.com/article/CTX267679

[Rhonda Rowland1709152125]

The policy to mitigate is to prevent access via any ip (VIP such as vpn vserver or management enabled nsip/snips).  The nsapimgr command ensures the globally bound responder policy (which protects all web requests via any vip) would also apply to management ips.  At the moment, the recommendation is to protect all ingress points.

[Daniel Krause1709153565]

All Management IPs/ AAA VIPs/ Gateway VIPs exposed to the Internet are at risk. NetScaler Gateway setup in ICA proxy mode is also affected.
The reboot  is not necessary to apply the policy but it is a precautionary step to ensure that if there are any open sessions, obtained via the vulnerability.

Edited January 2, 2020 by dkrause505
Update from Citrix tech support

[Tracey Penston]

When trying to apply to NS11.1.59.10,

shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" comes back with a Syntax error: Unterminated Quoted String

 

Any ideas, I cant see an issue, and it worked fine on my Ns13.0.36.27 versions.

 

 

 

[Daniel Krause1709153565]

9 minutes ago, Tracey Penston said:

When trying to apply to NS11.1.59.10,

shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" comes back with a Syntax error: Unterminated Quoted String

 

Any ideas, I cant see an issue, and it worked fine on my Ns13.0.36.27 versions.

 

 

Hi, I also get this message when i delete a ' or " character. Please double check that you don't miss one of them.

shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 >> /nsconfig/rc.netscaler"
Syntax error: Unterminated quoted string

I deleted ' behind skip_systemaccess_policyeval=0

 

[Tracey Penston]

thanks, but no all are there,

I copied and pasted the line from the document,

also tried putting into Notepad and removing and re typing the " and ' but still no joy.

 

works fine for the newer version just the v11.1 that I am having this issue on

[Daniel Krause1709153565]

1 minute ago, Tracey Penston said:

thanks, but no all are there,

I copied and pasted the line from the document,

also tried putting into Notepad and removing and re typing the " and ' but still no joy.

 

works fine for the newer version just the v11.1 that I am having this issue on

 

OK, maybe it's a bug. Did you already test via "command line interface" under Configuration -> System -> Diagnostics -> Utilities ?

[Tracey Penston]

I did, tried via there, and by using Putty to the console, and get the same.

Thanks for your help.

 

 

[Daniel Krause1709153565]

6 minutes ago, Tracey Penston said:

I did, tried via there, and by using Putty to the console, and get the same.

Thanks for your help.

 

 

What about going to shell and just send command below. Also try with doublequotes " instead '

echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler

It's crazy because I have a 11.1 59.10 here and it works fine.

[Tracey Penston]

Strangely that worked.

Thanks very much .

[Etienne Coppin]

Patching and mitigation will be probably not enough. You have to re-check and control all your appliances.
In our case, we found some compromised appliance, we decide to restore instances (or re-image instances) from 1st week of december before the CVE-2019-19781 publication, implement the mitigation proposed by Citrix, revoke/renew certificates + reset of all passwords involved with NetScaler + reset of all administrative accounts with priviledges.. Recontrol everything after remediation.

Read carefully these both articles for the verification steps and other recommandations

https://www.poppelgaard.com/cve-2019-19781-what-you-should-know-and-how-to-fix-your-citrix-adc-access-gateway

Read also this one, not so funny :

https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html

 

[Daniel Krause1709153565]

10 hours ago, Etienne Coppin said:

Patching and mitigation will be probably not enough. You have to re-check and control all your appliances.
In our case, we found some compromised appliance, we decide to restore instances (or re-image instances) from 1st week of december before the CVE-2019-19781 publication, implement the mitigation proposed by Citrix, revoke/renew certificates + reset of all passwords involved with NetScaler + reset of all administrative accounts with priviledges.. Recontrol everything after remediation.

Read carefully these both articles for the verification steps and other recommandations

https://www.poppelgaard.com/cve-2019-19781-what-you-should-know-and-how-to-fix-your-citrix-adc-access-gateway

Read also this one, not so funny :

https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html

 

 

Hi Etienne,

why you don't explain why it is "probably" not enough?
The first link is 404 is the second is so long, that almost nobody has time to read all this.

 

Please correct me if I'm wrong but the tldr of second link is:

- Don't worry if you did the mitigation before 10. January.

- Worry and check all your devices if you did the mitigation after 10. January as described in section "Check if you are compromised"

 

[Etienne Coppin]

CISA : AA20-031A: Detecting Citrix CVE-2019-19781
https://www.us-cert.gov/ncas/alerts/aa20-031a