Jump to content
Welcome to our new Citrix community!

CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller. New password will be resetted !


Thomas Goldbeck

Recommended Posts

Our Netscaler gateway (virtual appliance) has been compromised and I replaced it by a completely old version from our backup. I applied the citrix workaround https://support.citrix.com/article/CTX267679 without having connected the restored appliance to any network . Then I did all the steps described here https://nerdscaler.com/2020/01/13/citrix-adc-cve-2019-19781-exploited-what-now/amp/ to check the system from my backup is clean. I have also changed the password !

 

Additionally I started the compromised appliance in a lab area without any network connection to check again this appliance. I really could see some of the described indicators. None of these indicators were found on the restored appliance until today. 

 

Today I wanted to check the system again and was not able to logon. After severeal tries I got the idea to choose the old password. I could logon !!!!  The password was resetted !!!! That means that the citrix workaround does NOT help !!!

 

I will check this everyday for the next weeks.

 

Link to comment
Share on other sites

Today I tried to connect to our farm via Citrix ADC app.  Was not possible. Therefore I used an emergency access to check. I found that the ADC app has crashed and is seems to write a dumpfile (see pic.) . The dumpfile writes until 62% and then it stops. Pressing the enter key gives the option for pressing control-c to abort. Having done this system reboots normaly and everthing looks ok. But when connection via putty or browser, password is resetted again !!!

 

From my point of view the explanation is, that in the meantime there is not only an attack which tries to restore the old configuration (with the old password) -hottible enough !!!- but the attackers also are trying with violence to realize the full control over the system again.

 

That also means:  a complete new installation of the ADC app will not help, since the downloadable app is still buggy  !!! Its a desaster !!!!

 

Citrix: HELP !!!!

 

 

84409fed-5d30-4692-a372-6d0b837eed36.jpg

Link to comment
Share on other sites

It looks like you have forgotten to save the configuration after you have changed the password for nsroot and the NetScaler crashed…J Mitigation steps solve the vulnerability for all NS builds except the:

 

In Citrix ADC and Citrix Gateway Release "12.1 build 50.28", an issue exists that affects responder and rewrite policies causing them not to process the packets that matched policy rules. Citrix recommends that customers choose one from the following two options for the mitigation steps to function as intended.

 

You can also easily verify whether your NetScaler has been compromised:
https://nerdscaler.com/2020/01/13/citrix-adc-cve-2019-19781-exploited-what-now/amp/?__twitter_impression=true

  • Like 1
Link to comment
Share on other sites

Patching and mitigation will be probably not enough. You have to re-check and control all your appliances.
In our case, we decide to restore instances (or re-image instances) from 1st week of december before the CVE-2019-19781 publication, implement the miyigation proposed by Citrix, revoke/renew certificates + reset of all passwords involved with NetScaler + reset of all administrative accounts with priviledges.

Read carefully these both articles for the verification steps

https://www.poppelgaard.com/cve-2019-19781-what-you-should-know-and-how-to-fix-your-citrix-adc-access-gateway

https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...