Jump to content
Welcome to our new Citrix community!

CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller. Can Someone tell the effect of this Vulnerability on our Citrix devices.


Pushpendra Kumar

Recommended Posts

It is very hard...all is possible. Please analyze all security risks.

 

There are about 20 risks that have been identified. Including a file with all passwords of nsroot and all users who have ever logged in. Either you find the passwords in plain text or as hash value. It is not difficult to decrypt the seemingly "difficult" passwords. Processes, scripts, files etc. are exchanged or executed. 
The danger is considered extremely high. I am surprised that Citrix does not consider it necessary to open an open communication about this topic or to work out a solution. In my opinion it would be necessary for all companies that have been attacked to make public statements. Data of many customers/persons/companies are currently in danger. Information is EVERYTHING . Many companies are affected, but also Citrix, whose share price is in great danger.  One now has a few alternatives.
1. remove NetScaler from the network - until a patch may be available at the end of the month and reinstall all
2. precise analysis of the appliance(s), this is unfortunately very (time) expensive - but feasible
3. security check the entire network and proactively introduce security measures. 

 

Wolfgang

 

Link to comment
Share on other sites

As Wolgang said, this is EXTREMELY serious.

You can easily check if you're vulnerable here:

https://cve-2019-19781.azurewebsites.net/

 

Here is a blog post that details what you need to do if you've been compromised.

https://nerdscaler.com/2020/01/13/citrix-adc-cve-2019-19781-exploited-what-now/amp/

The above post also goes into more detail about what the hackers have done to compromise the ADCs.

 

Target date for a fix from Citrix is 1/20/2020 or 1/31/2020 (depending on the version of firmware you are running).

Link to comment
Share on other sites

Craig Young at Tripwire did a nice writeup/analysis (link below). The take away for me was an attacker has complete access to the device and can run/modify anything they want on the device. If your devices sits in the DMZ between the public internet and is connected to a secure network an attacker could conceivably begin attacking weaknesses in your Citrix Virtual Apps infrastructure next.

 

https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/

 

 

Edited by ryankellerman_wmp
Typo
Link to comment
Share on other sites

Hey guys,

i confirmed mitigation plan on 11 and 12 netscaler version has been executed successfully.

 

Now i am planning to upgrade the existing netscaler to the latest version NS 12.58 or 63 version which (12.63 is yet to release by Citrix and would be available on 20 Jan 2019).

 

since i am running my NS gateway in standalone NS hence want to upgrade it during working hour however reboot can be done after business hour.

Just want to know whether there is any business impact if we keep reboot pending???

Is it good practice that we can apply upgrade during business and reboot after business hours???

 

Appreciate anybody can advise on the same.

 

Kind regards,

rakesh 

 

Link to comment
Share on other sites

Questions to the community and to Citrix directly:

 

Question to Citrix: I would like a 100% statement if NetScaler devices in the Citrix Cloud were attacked. If so, what measures were taken?

 

Question to Citrix: Were all partners fully informed with all technical details about the vulnerability and potential threats - by that I do not mean the reference to the single document "CTX267679 - Mitigation steps for CVE-2019-19781". There is no clear recommendation from Citrix on how to act in case of a vulnerability. 

 

Question to Citrix : Due to the vulnerability, the configuration data of NetScaler, passwords of nsroot, and passwords of ALL users who have ever logged in via NetScaler at some point in time have been transferred to the outside world. What action does CITRIX recommend? Exact details please!

 

Question to Citrix :Some NetScalers/ADC use the FreeBSD operating system as Linux system. However, the corresponding version of the NetScaler operating system is "OUT-OF-DATE".
 When will there be changes and updates?


According to the manufacturer, security updates will not be available until the end of January 2020, depending on the version branch of the affected products. These should then be installed as soon as possible, according to Citrix I Seriously wonder why it takes about 6 weeks to close such a large security hole, which was known since 17.12.2019. That can only mean that: 


1. Citrix itself is not technically capable of handling the problem
2. Citrix does not have sufficient trained personnel to deal with the problem as quickly as possible 
3. Citrix may be pushing the "cloud" strategy. Perhaps the statement "This wouldn't have happened in the cloud" will come in mid-February - let's see what else we can expect.

 

In Germany alone, almost 5,000 vulnerable Citrix systems accessible from the Internet have been reported to German network operators in the past few days. Currently, around 1,500 of these are still vulnerable to attackers. (Source BSI). Worldwide, about 40,000 systems are likely to be affected.  Unfortunately Citrix reacts slowly, workarounds and patches are not offered comprehensively and solutions are recommended. A "shutdown" of the systems is certainly no solution, but at most a "workaround". 

 

Citrix provides an analysis tool (CTX269180) for a potential attack. But Citrix also says: 

"Please note that the tool is not designed to detect the vulnerability against the NSIP or other Management IPs" - well, have fun with it, wouw!

I am waiting for good answers dear friends! Thanks for any information.

 

Wolfgang

 

Link to comment
Share on other sites

Wolfgang,

 

Nice post ... There are so many posts about the vulnerability, that I think Citrix may miss your questions.

I would suggest creating a new post with a title along the lines of:

 

Questions for Citrix on the CVE-2019-19781 Vulnerability - The community would like (deserves?) some answers.

 

-Sam

Link to comment
Share on other sites

There are many threads about this issue that I am not sure which one should I choose, but here it goes:

 

I have done the Mitigation Steps for CVE-2019-19781 and now the Responder actions shows ~40 hits and it is growing. Does this mean someone is trying to attack our system? If so, is there a way to see more details about these hits somewhere, e.g. ip-address where they are coming from etc.

Link to comment
Share on other sites

Hi tylital,

yes there is potentially someone trying to attack you. You can configure an Audit Log Action and bind it to your responder Policy.

 

1. Log User Configurable Log Messages to ns.log:
set audit syslogParams -userDefinedAuditlog YES

 

2. Create Audit Log Action:
add audit messageaction AMA_Log_CVE-2019-19781 WARNING "\"CVE-2019-19781 - Client: \"+CLIENT.IP.SRC+\" tries to connect to \"+HTTP.REQ.HOSTNAME+HTTP.REQ.URL" -logtoNewnslog YES

 

3. Bind Audit Log Action to your Responder Policy
set responder policy ctx267027 -logAction AMA_Log_CVE-2019-19781

 

4. Open your ns.log file, choose Severity "WARN" and see which IP is potentially trying to exploit you (and which URL it hits)

 

The result should be like "CVE-2019-19781 - Client 1.2.3.4 tries to connect to www.test.com/vpn/../vpns/portal/abc.xml

 

Best regards,

Jens

Link to comment
Share on other sites

Patching and mitigation will be probably not enough. You have to re-check and control all your appliances.
In our case, we found some compromised appliances (mitigation proposed by Citrix has been implemented too late on 12/01/2020), we decide to restore instances (or re-image instances) from 1st week of december before the CVE-2019-19781 publication, implement the mitigation proposed by Citrix, revoke/renew certificates + reset of all passwords involved with NetScaler + reset of all administrative accounts with priviledges.. Re-control everything after remediation.

Read carefully these both articles for the verification steps and other recommandations

https://www.poppelgaard.com/cve-2019-19781-what-you-should-know-and-how-to-fix-your-citrix-adc-access-gateway

Read also this one, not so funny :

https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html

 

  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...