www.belgium.be Logo of the federal government

Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP web server vulnerability actively exploited

Reference: 
Advisory #2020-010
Version: 
1
Affected software: 
Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0.
Type: 
Directory Traversal & Function Injection
CVE/CVSS: 

CVE-2019-19781

CVSSv2 7.5

CVSSv3 9.8

Risks

Exploits of this issue on unmitigated appliances have been observed in the wild used by criminals. Citrix strongly urges affected customers to immediately upgrade to a fixed build OR apply the provided mitigation which applies equally to Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP deployments. Customers who have chosen to apply the mitigation should upgrade all of their vulnerable appliances to a patched version as soon as possible.

Description

A vulnerability has been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform function injections and directory traversals. CERT.be has been keeping an eye on this vulnerability since its release, and recently saw exploitation in the wild.

Recommended Actions

Citrix has released updates in Security Bulletin CTX267027. The update patches the directory traversal vulnerability, responsible for the function injection. If updates are unavailable for your platform, or if you are otherwise unable to apply updates, please consider the mentioned workarounds. CERT.be recommends to apply the patch as soon as possible. The patches can be downloaded from the Citrix support.

References

  1. https://support.citrix.com/article/CTX267027
  2. https://support.citrix.com/article/CTX267679
  3. https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/
  4. https://isc.sans.edu/forums/diary/A+Quick+Update+on+Scanning+for+CVE201919781+Citrix+ADC+Gateway+Vulnerability/25686/
  5. https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/
  6. https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml
  7. https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html
  8. https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md
  9. https://www.us-cert.gov/ncas/alerts/aa20-020a
  10. https://www.us-cert.gov/ncas/alerts/aa20-031a
  11. https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/