{"vuid":"VU#619785","idnumber":"619785","name":"Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP web server vulnerability","keywords":[""],"overview":"A vulnerability been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, Citrix Gateway formerly known as NetScaler Gateway, and Citrix SDWAN WANOP that could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.","clean_desc":"Citrix has published a security bulletin that mentions a vulnerability that can be exploited to achieve arbitrary code execution by a remote,unauthenticated attacker. Although the bulletin does not describe details about the vulnerability,the mitigation steps describe techniques to block the handling of requests that contain a directory traversal attempt(/../)and also requests that attempt to access the/vpns/directory. Limited testing has shown that the affected Citrix software fails to restrict access to perl scripts that are available via the/vpns/path. An unauthenticated remote attacker may be able to provide crafted content to these scripts that result in arbitrary code execution. One technique that has been outlined involves the writing of an XML file using a directory traversal and the subsequent command execution by way of the Perl Template Toolkit. Other exploitation techniques may be possible. A link of the following form can be used to determine if a system is affected: https://CITRIXGATEWAY/vpn/../vpns/cfg/smb.conf For example,the following curl command can be used: curl https://CITRIXGATEWAY/vpn/../vpns/cfg/smb.conf --path-as-is -k -f The\"CITRIXGATEWAY\"string should be replaced with the name or IP of the system you wish to test. If retrieving the link results in a 403 Forbidden error,then the mitigations outlined below have likely been applied. However,if retrieving the link results in the contents of a smb.conf file,then the system is vulnerable.","impact":"By exploiting this vulnerability, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.","resolution":"Apply an update Citrix has released updates in Security Bulletin CTX267027. The updated software is designed to prevent unauthenticated attackers from accessing certain web server features. If updates are unavailable for your platform, or if you are otherwise unable to apply updates, please consider the following workarounds:","workarounds":"Block the handling of specially-crafted requests Citrix article CTX267679 contains several mitigation options for this vulnerability, depending on what type of product installation is used. For example, on a stand-alone system, the following commands are reported to mitigate this vulnerability: nable ns feature responder\nadd responder action respondwith403 respondwith \"\\\"HTTP/1.1 403 Forbidden\\r\\n\\r\\n\\\"\"\nadd responder policy ctx267027 \"HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/vpns/\\\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\\\"/../\\\"))\" respondwith403\nbind responder global ctx267027 1 END -type REQ_OVERRIDE\nsave config shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0\nshell \"echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler\"\nreboot Note that other configurations, such as CLIP, and HA, the steps to mitigate this vulnerability may be different. Please see CTX267679 for more details. Also note that the above mitigation does not work on Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31, due to an altogether different bug. Release 12.1 users are recommended to update to an unaffected build and also apply mitigations for protection.","sysaffected":"","thanks":"This vulnerability was reported to the vendor by Mikhail Klyuchnikov of Positive Technologies.","author":"This document was written by Art Manion and Will Dormann.","public":["https://support.citrix.com/article/CTX267027","https://support.citrix.com/article/CTX267679","https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/","https://isc.sans.edu/forums/diary/A+Quick+Update+on+Scanning+for+CVE201919781+Citrix+ADC+Gateway+Vulnerability/25686/","https://www.tripwire.com/state-of-security/vert/citrix-netscaler-cve-2019-19781-what-you-need-to-know/","https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml","https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html","https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md","https://www.us-cert.gov/ncas/alerts/aa20-020a","https://www.us-cert.gov/ncas/alerts/aa20-031a"],"cveids":["CVE-2019-19781"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2019-12-26T23:56:21Z","publicdate":"2019-12-17T00:00:00Z","datefirstpublished":"2020-01-08T16:47:18Z","dateupdated":"2020-02-03T13:11:42Z","revision":111,"vrda_d1_directreport":"0","vrda_d1_population":"2","vrda_d1_impact":"4","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"10","cvss_basevector":"AV:N/AC:L/Au:N/C:C/I:C/A:C","cvss_temporalscore":"9.5","cvss_environmentalscore":"7.121077488","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}