Jump to content
Welcome to our new Citrix community!

CVE-2019-19781


Yizhou Zha

Recommended Posts

  • 2 weeks later...

"There is currently uncertainty about the effectiveness of the mitigation measures previously recommended by Citrix. This applies to all versions of Citrix ADC and Citrix Gateway servers. Since today, Citrix confirms on its website that these measures do not work in any case with version 12.1 in builds for 51.16 / 51.19 and 50.31."

5 hours ago, Jan Mulder1709153168 said:

Are systems still vulnerable after mitigation steps?  The dutch National Security Center claims that some netscalers still vulnerable (https://www.ncsc.nl/actueel/nieuws/2020/januari/16/door-citrix-geadviseerde-mitigerende-maatregelen-niet-altijd-effectief)  . I miss a statement or explanation from Citrix.!!

 

 The same question arises here. We will even stop our Netscaler services today until the patch is released.

Link to comment
Share on other sites

While helping a client with the CVE-2019-19781 mitigations, I figured out a single command that can be issued on any up to date Windows 10 installation to test for successful implementation:

 

curl -I --path-as-is https://host-fqdn/vpn/../vpns/cfg/smb.conf

 

A 403 response is what you want to see (mitigations are working), a "200 OK" is bad news.

 

NOTE: Microsoft recently added CURL to Windows 10, so it's no longer necessary to test from a Linux distro or to find a ported version of CURL that runs on Windows 10. Nice!

Link to comment
Share on other sites

Patching and mitigation will be probably not enough. You have to re-check and control all your appliances.
In our case, we found some compromised appliance, we decide to restore instances (or re-image instances) from 1st week of december before the CVE-2019-19781 publication, implement the mitigation proposed by Citrix, revoke/renew certificates + reset of all passwords involved with NetScaler + reset of all administrative accounts with priviledges.. Recontrol everything after remediation.

Read carefully these both articles for the verification steps and other recommandations

https://www.poppelgaard.com/cve-2019-19781-what-you-should-know-and-how-to-fix-your-citrix-adc-access-gateway

Read also this one, not so funny :

https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html

 

Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...