Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP web server vulnerability

Overview

A vulnerability been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, Citrix Gateway formerly known as NetScaler Gateway, and Citrix SDWAN WANOP that could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.

Description

Citrix has published a security bulletin that mentions a vulnerability that can be exploited to achieve arbitrary code execution by a remote, unauthenticated attacker. Although the bulletin does not describe details about the vulnerability, the mitigation steps describe techniques to block the handling of requests that contain a directory traversal attempt (/../) and also requests that attempt to access the /vpns/ directory.

Limited testing has shown that the affected Citrix software fails to restrict access to perl scripts that are available via the /vpns/ path. An unauthenticated remote attacker may be able to provide crafted content to these scripts that result in arbitrary code execution. One technique that has been outlined involves the writing of an XML file using a directory traversal and the subsequent command execution by way of the Perl Template Toolkit. Other exploitation techniques may be possible.

A link of the following form can be used to determine if a system is affected:
https:// CITRIXGATEWAY /vpn/../vpns/cfg/smb.conf

For example, the following curl command can be used:
curl https:// CITRIXGATEWAY /vpn/../vpns/cfg/smb.conf --path-as-is -k -f

The “CITRIXGATEWAY” string should be replaced with the name or IP of the system you wish to test. If retrieving the link results in a 403 Forbidden error, then the mitigations outlined below have likely been applied. However, if retrieving the link results in the contents of a smb.conf file, then the system is vulnerable.

---

Impact

By exploiting this vulnerability, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.

---

Solution

Apply an update

Citrix has released updates in Security Bulletin CTX267027. The updated software is designed to prevent unauthenticated attackers from accessing certain web server features. If updates are unavailable for your platform, or if you are otherwise unable to apply updates, please consider the following workarounds:

---

Block the handling of specially-crafted requests

Citrix article CTX267679 contains several mitigation options for this vulnerability, depending on what type of product installation is used. For example, on a stand-alone system, the following commands are reported to mitigate this vulnerability:

nable ns feature responder
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\\r\
add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
save config

shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0
shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler"
reboot
Note that other configurations, such as CLIP, and HA, the steps to mitigate this vulnerability may be different. Please see CTX267679 for more details.

Also note that the above mitigation does not work on Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31, due to an altogether different bug. Release 12.1 users are recommended to update to an unaffected build and also apply mitigations for protection.

Vendor Information

619785

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Citrix Affected

Updated: January 08, 2020

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://support.citrix.com/article/CTX267027&gt;
• <https://support.citrix.com/article/CTX267679&gt;

CVSS Metrics

Group	Score	Vector
Base	10	AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal	9.5	E:H/RL:W/RC:C
Environmental	7.1	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

• <https://support.citrix.com/article/CTX267027&gt;
• <https://support.citrix.com/article/CTX267679&gt;
• <https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/&gt;
• <https://isc.sans.edu/forums/diary/A+Quick+Update+on+Scanning+for+CVE201919781+Citrix+ADC+Gateway+Vulnerability/25686/&gt;
• <https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/&gt;
• <https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml&gt;
• <https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html&gt;
• <https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md&gt;
• <https://www.us-cert.gov/ncas/alerts/aa20-020a&gt;
• <https://www.us-cert.gov/ncas/alerts/aa20-031a&gt;

Acknowledgements

This vulnerability was reported to the vendor by Mikhail Klyuchnikov of Positive Technologies.

This document was written by Art Manion and Will Dormann.

Other Information

CVE IDs:	CVE-2019-19781
Date Public:	2019-12-17 Date First Published: