Manoj Rana Posted January 29, 2020 Share Posted January 29, 2020 Hi All, I am looking for an advised we have upgraded the NetScaler firmware for CVE-2019-19781 also the Mitigation Steps is still enable. Responder policy still bind to global. Can we unbind the policy? Thanks Link to comment Share on other sites More sharing options...
Koenraad Willems Posted January 29, 2020 Share Posted January 29, 2020 Hi Manoj, Since the patch fixes the vulnerability, I suppose the mitigation steps can be undone. Best, Koenraad Link to comment Share on other sites More sharing options...
Jens Dellner Posted January 29, 2020 Share Posted January 29, 2020 Hi Manoj, yes you can completely remove the workaround. I upgrade to 13.0.47.24 and removed the workaround. A scan shows that the netscaler is not vulnerable. ns.log will now show detected attacks: 01/29/2020:06:29:55 GMT ns 0-PPE-0 : default SSLVPN Message 4066075 0 : "is_path_traversal_or_vpns_attack_request Path traversal detected |/vpn/../vpns/cfg/smb.conf|" 01/29/2020:08:27:50 GMT ns 0-PPE-0 : default SSLVPN Message 4331943 0 : "is_path_traversal_or_vpns_attack_request Path traversal detected |/vpn/js/%2E./.%2E/%76pns/cfg/smb.conf|" Best regards, Jens Link to comment Share on other sites More sharing options...
Koenraad Willems Posted January 29, 2020 Share Posted January 29, 2020 By the way, this is an easy website to scan your ADC for the vulnerability: https://cve-2019-19781.azurewebsites.net/ Props to Christian Pedersen. Koenraad 1 Link to comment Share on other sites More sharing options...
Manoj Rana Posted January 29, 2020 Author Share Posted January 29, 2020 Thanks everyone. Is anyone have information about if wildcard cert was leaked due to CVE-2019-19781. I checked on the same https://cve-2019-19781.azurewebsites.net/ is anyone know the source of information or any other information Thanks Link to comment Share on other sites More sharing options...
Koenraad Willems Posted January 29, 2020 Share Posted January 29, 2020 Hi Manoj, I think this is from the GDI Foundation. They have a dataset. But if you are listed, it doesn't automatically mean the cert was stolen. As a precautionary measure, it might make sense to renew the cert anyway. Best, Koenraad Link to comment Share on other sites More sharing options...
Etienne Coppin Posted February 2, 2020 Share Posted February 2, 2020 CISA : AA20-031A: Detecting Citrix CVE-2019-19781https://www.us-cert.gov/ncas/alerts/aa20-031a Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now