Wednesday 29 Jan 2020 @ 17:08
National Cyber Security Centre
Printable version

Alert: Actors exploiting Citrix products vulnerability

An NCSC alert detailing the investigation into the exploitation of a critical vulnerability in Citrix products.

Update note

This Alert is an updated version of the Alert published on 14 January 2020.

It provides updated information on another product (SD-WAN WANOP) also affected by the vulnerability, newly released fixes and creation of an IoC scanning tool to detect exploitation.

Details

The NCSC is investigating multiple exploitations of a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that allows an unauthenticated attacker to perform arbitrary code execution on a network. The vulnerability is CVE-2019-19781 and its exploitation has been widely reported online in early January 2020.  Attackers appear to be deploying various payloads once exploitation has taken place.

The following Citrix products are affected:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Note that since the original disclosure, Citrix has advised that the vulnerability is also known to affect some SD-WANOP appliance models:

  • Citrix SD-WAN WANOP appliance models 400-WO, 4100-WO, 5000-WO and 5100-WO all supported builds 

Release of fixes

Citrix first disclosed this vulnerability in an Advisory on 17 December 2019. Initially no patch was available although Citrix provided mitigation advice. On 19 January 2020, Citrix began to release fixes, which were available for all affected builds by 24 January. Links can be found below.

The NCSC recommends following vendor best practice advice to mitigate vulnerabilities. In this case, the most important aspect is to install the latest updates as soon as practicable and to follow the vendor mitigation advice immediately.

Citrix have now updated the fixes for all affected ADC versions: https://www.citrix.com/downloads/citrix-adc/

Fixes for all affected Gateway versions: https://www.citrix.com/downloads/citrix-gateway/

Fixes for all affected SD-WAN models: https://www.citrix.com/downloads/citrix-sd-wan/

Detecting already compromised systems

The NCSC also strongly advises organisations carry out searches across their networks to identify whether exploitation has taken place.

Citrix and Mandiant FireEye have jointly developed an IoC scanner to detect this vulnerability. The scanner analyses available log sources and system forensic artefacts to identify where exploitation of CVE-2019-19781 has taken place. The tool can be accessed via the link below:

https://github.com/citrix/ioc-scanner-CVE-2019-19781/

In addition, the following can also be used as a simple check for a vulnerable system:

  1. Perform a GET request to: https://{host}/vpn/../vpns/
  2. Check response for "You don't have permission to access /vpns/"

Conclusion

Organisations who detect any suspected exploitation should report to the NCSC via the website

Appendix

Sigma rule to detect activity is publicly available:

title: Citrix Netscaler Attack CVE-2019-19781description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attackid: ac5a6409-8c89-44c2-8d64-668c29a2d756references:

  • https://support.citrix.com/article/CTX267679#
  • https://support.citrix.com/article/CTX267027
  • https://isc.sans.edu/diary/25686
  • https://twitter.com/mpgn_x64/status/1216787131210829826

author: Arnim Rupp, Florian Rothstatus: experimentaldate: 2020/01/02modified: 2020/01/13logsource:category: webserverdescription: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt)'detection:selection:c-uri-path:

  • '*/../vpns/*'
  • '*/vpns/cfg/smb.conf'
  • '*/vpns/portal/scripts/newbm.pl*'
  • '*/vpns/portal/scripts/rmbm.pl*'
  • '*/vpns/portal/scripts/picktheme.pl*'

condition: selectionfields:

  • client_ip
  • vhost
  • url
  • response

falsepositives:

  • Unknown

level: critical

In addition, the following Snort rule alerts on the first part of the "Project Zero India" exploit:

alert tcp any any -> any any (sid: 1019781; msg: "SERVER-WEBAPP Citrix ADC NSC_USER directory traversal attempt"; content: "NSC_USER:"; fast_pattern; content: "NSC_USER:"; http_header; content: "/../"; http_header; content: "POST"; http_method; content: "NSC_NONCE:" ; http_header; content: ".pl"; http_uri; content: "/vpns/"; http_uri; reference:cve,2019-19781; classtype: web-application-attack)

Exploitation code is also available via the links below:

Downloads

Alert: Actors exploiting a vulnerability in Citrix products (version 2)
An NCSC alert detailing the investigation into the exploitation of a critical vulnerability in Citrix products (version 2), PDF, 204 KB, 5 PAGES

 

Channel website: https://www.ncsc.gov.uk/

Original article link: https://www.ncsc.gov.uk/news/citrix-alert

Share this article

Latest News from
National Cyber Security Centre

NCSC enters new partnership for PDNS delivery

17/04/2024 13:05:00

The National Cyber Security Centre announces new partnership to deliver the Protective Domain Name System (PDNS) service.

UK holds China state-affiliated organisations and individuals responsible for malicious cyber activity

26/03/2024 10:31:00

UK calls out pattern of malicious cyber activity by Chinese state-affiliated organisations and individuals targeting democratic institutions and parliamentarians.

NCSC and partners issue warning about state-sponsored cyber attackers hiding on critical infrastructure networks

08/02/2024 11:05:00

GCHQ’s National Cyber Security Centre and partners share details of how threat actors are using built-in tools to camouflage themselves on victims’ systems.

Business leaders urged to toughen up cyber attack protections

24/01/2024 13:12:00

New guidelines to help directors and business leaders boost their resilience against cyber threats.

Exploitation of vulnerabilities affecting Ivanti Connect Secure and Ivanti Policy Secure

15/01/2024 10:15:00

Organisations are encouraged to take immediate action to mitigate vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways (CVE-2023-46805 and CVE-2024-21887), and follow the latest vendor advice.

UK exposes attempted Russian cyber interference in politics and democratic processes

08/12/2023 10:29:00

The UK condemns Russia’s sustained attempts at political interference in the UK and globally.

UK and allies expose Russian intelligence services for cyber campaign of attempted political interference

07/12/2023 14:25:00

The UK and allies call out the Russian Intelligence Services for a campaign of malicious cyber activity attempting to interfere in UK politics and democratic processes

NCSC launches Cyber Incident Exercising scheme

06/12/2023 15:25:00

New CIE assured providers give organisations support to create structured table-top or live-play cyber incident exercises.

UK and Republic of Korea issue warning about DPRK state-linked cyber actors attacking software supply chains

23/11/2023 16:05:00

Joint advisory observes cyber actors leveraging zero-day vulnerabilities and exploits in third-party software.