Citrix NetScaler unauthenticated remote code execution critical alert
On Dec. 17, 2019, Citrix announced that their Netscaler application delivery controller (ADC) and gateway were vulnerable to an unauthenticated path traversal critical flaw that could lead to remote code execution (CVE-2019-19781).
Citrix Netscaler ADC and gateway combine to provide remote user access to a company’s internal network, and it is estimated that roughly 80,000 companies are using this software. Though a full patch was not released with their announcement, Citrix issued applicable mitigations for the vulnerability. These mitigations focus on restricting access to the targeted vulnerable files, rather than fixing the vulnerable code itself. As a result, such actions can help prevent active exploitation until a full patch is released.1, 2
On Jan. 1, 2020, multiple parties released full working exploits for the affected Citrix products. Upon successful use of the exploit, an attacker could achieve full compromise of the gateway server, as well as serve as a pivot point into internal company resources. This pivot point can be leveraged to conduct further attacks against the internal network, distribute malware or extract company data.
Due to the public release of functioning exploits, cybercriminals have begun using these techniques for malicious intent on a large scale. Mass scanning of Citrix endpoints is underway by a variety of parties, and researchers are reporting malicious exploitation of affected systems through intentionally vulnerable servers called honeypots.
In addition to functional exploits, there have been multiple vulnerability scanners released to identify the unmitigated product. TrustedSec, who released one of the first functional exploits, also released a scanner for administrators to test their own networks for the vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has also released their own utility for detecting this vulnerability.3,4,5
A full patch is expected by the end of January, but as of this writing, there are still thousands of unmitigated systems on the internet. We support the following recommendations:
- We urge all readers to scan their networks for this vulnerability and apply the recommended mitigations as applicable
- We recommend monitoring and reviewing logs for the affected systems in case of a previous attack
- When an official patch is released from Citrix, we recommend applying the full patch immediately
Update: On Jan. 16, 2020, Citrix updated the language in their support article to identify that the suggested mitigation steps for ADC Release 12.1 builds before 51.16/51.19 and 50.31 does not affect the vulnerability. This version is not scheduled to be updated until Jan. 27, 2020, meaning these release versions will be unmitigated and unpatched until that release date. This gives even the most basic of attackers a long window of uninterrupted exploitation.
1CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway, https://support.citrix.com/article/CTX267027.
2Mitigation Steps for CVE-2019-19781, https://support.citrix.com/article/CTX267679.
4CISA Releases Test for Citrix ADC and Gateway Vulnerability, Jan. 13, 2020, https://www.us-cert.gov/ncas/current-activity/2020/01/13/cisa-releases-test-citrix-adc-and-gateway-vulnerability.