Unbind the Mitigation policy for CVE-2019-19781

[Manoj Rana]

Hi All,

 

I am looking for an advised we have upgraded the NetScaler firmware for CVE-2019-19781 also the Mitigation Steps is still enable. Responder policy still bind to global.

 

Can we unbind the  policy?

 

Thanks 

 

 

[Koenraad Willems]

Hi Manoj,

 

Since the patch fixes the vulnerability, I suppose the mitigation steps can be undone.

 

Best,

 

Koenraad

[Jens Dellner]

Hi Manoj,

yes you can completely remove the workaround.

 

I upgrade to 13.0.47.24 and removed the workaround. A scan shows that the netscaler is not vulnerable.

 

ns.log will now show detected attacks:

01/29/2020:06:29:55 GMT ns 0-PPE-0 : default SSLVPN Message 4066075 0 : "is_path_traversal_or_vpns_attack_request Path traversal detected |/vpn/../vpns/cfg/smb.conf|"

01/29/2020:08:27:50 GMT ns 0-PPE-0 : default SSLVPN Message 4331943 0 : "is_path_traversal_or_vpns_attack_request Path traversal detected |/vpn/js/%2E./.%2E/%76pns/cfg/smb.conf|"

 

Best regards,

Jens

[Koenraad Willems]

By the way, this is an easy website to scan your ADC for the vulnerability:

 

https://cve-2019-19781.azurewebsites.net/

 

Props to Christian Pedersen.

 

Koenraad

[Manoj Rana]

Thanks everyone.

 

Is anyone have information about if wildcard cert was leaked due to CVE-2019-19781.

 

I checked on the same https://cve-2019-19781.azurewebsites.net/ is anyone know the source of information or any other information

Thanks  

[Koenraad Willems]

Hi Manoj,

 

I think this is from the GDI Foundation. They have a dataset.

But if you are listed, it doesn't automatically mean the cert was stolen. As a precautionary measure, it might make sense to renew the cert anyway.

 

Best,

 

Koenraad

[Etienne Coppin]

CISA : AA20-031A: Detecting Citrix CVE-2019-19781
https://www.us-cert.gov/ncas/alerts/aa20-031a