Bug alert: Organisations told to deploy mitigations against Citrix Netscaler remote code execution flaw

News by Rene Millman

Organisations have been warned that they need to deploy workarounds for the Citrix ADC (NetScaler) CVE-2019-19781 vulnerability as working exploits have become available.

Organisations have been warned that they need to deploy workarounds for the Citrix ADC (NetScaler) CVE-2019-19781 vulnerability as working exploits have become available.

Citrix is currently developing patches for the bug and is likely to release them at the end of the month.

Just before Christmas Citrix warned that its Citrix Application Delivery Controller (ADC) and Citrix Gateway are prone to a vulnerability which can enable remote unauthenticated attackers to execute code on vulnerable gateways

According to a blog by MDSec, even though there were no publicly available details on how to exploit this issue, the mitigation advisory from Citrix revealed a potential clue to the type of vulnerability that it was.

"We can see the path where presumably the vulnerability exists (/vpns/) and that is a possible directory traversal vulnerability. With this in mind, we began to look for definitions of the /vpns path in the httpd.conf file and discovered that the /vpn/portal/scripts/ is handled by the NetScaler::Portal::Handler Perl Module (Handler.pm)," researchers said.

Another blog, this time published by TrustedSec, said that in order to access the FreeBSD command prompt, investigators will have to log in to the NetScaler command prompt (typically via SSH) and run the system command. This should place them at a root command prompt.

Citrix issued guidance as to how administrators can mitigate the problem. There are steps for standalone systems and clusters. In a further blog post, Citrix said it was working to develop permanent fixes which should be available from the 20 January this month depending on the supported version.

"There have been reports of network scanning to detect the presence of this vulnerability. As many deployments are behind the firewall, we believe that a limited number of devices are exploitable. We continue to recommend that all affected customers deploy the previously released mitigation and follow all steps," said Fermin Serna, CISO at Citrix.

Kelvin Murray, senior threat researcher at Webroot, told SC Media UK that what organisations should do first, is check for compromise by searching the file directories as explained in the Citrix support article. 

"Citrix have also laid out mitigation steps where updating is not an option," he said. "Yet, whether it's this Citrix issue, another VPN exploit or just exploits in general, the first line of defence is always patching and updating. Patch often and across the board, automating as much as possible, to avoid such vulnerabilities."

Paul Ducklin, senior security advisor at Sophos, told SC Media UK that unfortunately, announcing bugs sometimes gives away enough information to set attackers on the right path to finding an exploit. 

"In other words, even describing a vulnerability in a responsible way may help the bad guys along with the rest of us," he said. 

He added that  using the mitigation steps published by Citrix will the "prevent this vulnerability from being exploited".

"So, if you have any affected devices, don't delay - do it today!" he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews