9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
A vulnerability been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, Citrix Gateway formerly known as NetScaler Gateway, and Citrix SDWAN WANOP that could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.
Citrix has published a security bulletin that mentions a vulnerability that can be exploited to achieve arbitrary code execution by a remote, unauthenticated attacker. Although the bulletin does not describe details about the vulnerability, the mitigation steps describe techniques to block the handling of requests that contain a directory traversal attempt (/../
) and also requests that attempt to access the /vpns/
directory.
Limited testing has shown that the affected Citrix software fails to restrict access to perl scripts that are available via the /vpns/
path. An unauthenticated remote attacker may be able to provide crafted content to these scripts that result in arbitrary code execution. One technique that has been outlined involves the writing of an XML file using a directory traversal and the subsequent command execution by way of the Perl Template Toolkit. Other exploitation techniques may be possible.
A link of the following form can be used to determine if a system is affected:
https:// CITRIXGATEWAY /vpn/../vpns/cfg/smb.conf
For example, the following curl command can be used:
curl https:// CITRIXGATEWAY /vpn/../vpns/cfg/smb.conf --path-as-is -k -f
The “CITRIXGATEWAY
” string should be replaced with the name or IP of the system you wish to test. If retrieving the link results in a 403 Forbidden error, then the mitigations outlined below have likely been applied. However, if retrieving the link results in the contents of a smb.conf
file, then the system is vulnerable.
By exploiting this vulnerability, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.
Apply an update
Citrix has released updates in Security Bulletin CTX267027. The updated software is designed to prevent unauthenticated attackers from accessing certain web server features. If updates are unavailable for your platform, or if you are otherwise unable to apply updates, please consider the following workarounds:
Block the handling of specially-crafted requests
Citrix article CTX267679 contains several mitigation options for this vulnerability, depending on what type of product installation is used. For example, on a stand-alone system, the following commands are reported to mitigate this vulnerability:
nable ns feature responder
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\\r\
add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
save config
shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0
shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler"
reboot
Note that other configurations, such as CLIP, and HA, the steps to mitigate this vulnerability may be different. Please see CTX267679 for more details.
619785
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: January 08, 2020
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 9.5 | E:H/RL:W/RC:C |
Environmental | 7.1 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
This vulnerability was reported to the vendor by Mikhail Klyuchnikov of Positive Technologies.
This document was written by Art Manion and Will Dormann.
CVE IDs: | CVE-2019-19781 |
---|---|
Date Public: | 2019-12-17 Date First Published: |
github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml
github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md
isc.sans.edu/forums/diary/A+Quick+Update+on+Scanning+for+CVE201919781+Citrix+ADC+Gateway+Vulnerability/25686/
support.citrix.com/article/CTX267027
support.citrix.com/article/CTX267679
www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html
www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/
www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/
www.us-cert.gov/ncas/alerts/aa20-020a
www.us-cert.gov/ncas/alerts/aa20-031a
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%