virus logo Threat Signal Report

Proof Of Concept for CVE-2019-19781 (Vulnerability in Citrix Application Delivery Controller and Citrix Gateway) Published

Description

FortiGuard Labs SE team is aware of new proof of concept available targeting Citrix Gateway, CVE-2019-19781 (Vulnerability in Citrix Application Delivery Controller and Citrix Gateway) released over the weekend. The vulnerability was first identified in December, and disclosed to Citrix by researchers. The Citrix Application Delivery Controller (ADC) (previously known as NetScaler ADC) and Citrix Gateway (previously known as NetScaler Gateway) if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.


What is the vulnerability specifically?
At this time, details of the vulnerability have not been disclosed. However, according to researchers at Qualys, it appears that the vulnerability suggests the VPN handler fails to sufficiently sanitize user-supplied inputs. The exploit attempt would include HTTP requests with '/../' and '/vpns/' in the URL. The responder policy rule checks for string "/vpns/" and if user is connected to the SSLVPN, will result in a 403 response.


What is the impact of this issue?
High. Because exploitation is trivial and does not require an unauthenticated user to execute commands, an attacker can access the private network of the targeted victim and carry out arbitrary code execution. As exploitation is trivial it can be performed by anyone without knowledge of user credentials or accounts; and attacks that originate from the affected device can be leveraged to target other victim assets by allowing attackers to gain a foothold which will ultimately allow for pivoting within the victims' network. Furthermore, due to the newly available proof of concept code available online, in the wild attacks are expected to occur soon.


What products and platform/versions are affected?
Citrix ADC and Citrix Gateway version 13.0 all supported builds
Citrix ADC and NetScaler Gateway version 12.1 all supported builds
Citrix ADC and NetScaler Gateway version 12.0 all supported builds
Citrix ADC and NetScaler Gateway version 11.1 all supported builds
Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds


What is the status AV and IPS coverage?
Fortinet customers running the latest IPS definitions are protected by the following signature: Citrix.Application.Delivery.Controller.VPNs.Directory.Traversal

AV coverage for this event is not feasible.


Are there any mitigations made available by the vendor?
According to Citrix, there is no mitigation available at this time for the affected devices. A firmware update will be released sometime at the last week of January. For customers of Citrix running affected products, please visit the reference section for a link to the Official Citrix support forum for CVE-2019-19781.


References (External Links):
Citrix CVE-2019-19781 Advisory
Citrix CVE-2019-19781 Support Forum
Proof Of Concept for CVE-2019-19781

ID 1
Date Jan 13, 2020
Threat/
Vulnerability		 N/A
FortiGate Device Triggered N/A
Threat Actor Type N/A
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services