On December 2019, Citrix published a support article for a path traversal flaw in Citrix Application Delivery Controller (ADC) and Citrix Gateway, both of which were formerly known as NetScaler ADC and NetScaler Gateway. The weaponized proof-of-concept exploit code was publicly released by multiple groups for a recently disclosed remote code execution vulnerability in Citrix's NetScaler ADC and Gateway products that could allow anyone to leverage them to take full control over potential enterprise targets.
This information has required companies as Citrix customer to urgently prevent their servers from running some specific versions of the Citrix application delivery, load balancing, and Gateway solutions hacked by remote attackers or make it easier for low-skilled scripts to launch cyber-attacks against vulnerable organizations.
Citrix also had confirmed that the flaw affects all supported version of the software, including:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
This vulnerability is tracked as CVE-2019-19781 and comes with a 9.8 critical CVSS v3.1 base score. However, the company makes disclosures without releasing security patches for vulnerable software, instead, Citrix offers mitigation to help administrators guard their servers against possible remote attacks.
Weeks since the exploit code released, unit 42 researchers found scanning activities in the wild which leverages this vulnerability and have identified additional Indicators of Compromise since this vulnerability was initially disclosed on January 10.
Meanwhile, Citrix stated in their mitigation steps to offer clues into the vulnerable component of ADC and Gateway, referencing requests containing the “/vpns/” path, because the root cause of the vulnerability is caused by improper handling of the pathname. The system doesn’t have a data sanitation check and uses the path in incoming requests directly.
When the vulnerable system receives a request containing a path like /vpn/../vpns/services.html, the Apache server running in the Citrix products transforms the path from /vpn/../vpns/ into simply /vpns/. This vulnerability in the Apache system could allow remote attackers to exploit directory traversal requests and access sensitive files without the need for user authentication.
In other situations, it could be more severe. The directory traversal can be applied to a user input without authentication and sanitation. From which, the attacker can make a crafted XML file in the vulnerable server using a POST request. Afterward, when the attacker makes another HTTP request to visit the rendered file, the malicious code inside the XML file can be executed.
According to Shodan, there are more than 125,400 Citrix ADC or Gateway servers that are publicly accessible and can be exploited overnight if not taken offline or protected using available mitigation. These pictures below are some examples of Citrix in Shodan:
With the availability of exploit scripts for this vulnerability, users are strongly encouraged to apply the mitigation steps that provided by Citrix as soon as possible. Additionally, users are also recommended to frequently review their logs for requests to determine if active scanning or exploitation may have already occurred. These requests may include paths, such as:
We can’t emphasize enough, but Defenxor as one of trusted IT security companies in Indonesia highly recommends you do the mitigation steps as soon as possible before it’s all too late or getting worse. Also, keep up with our website to get the latest article regarding today’s security issues and trends that you should know to keep up to date.