Citrix ADC and Gateway Remote Code Execution Vulnerability (CVE-2019-19781)
Citrix released a security advisory (CVE-2019-19781) for a remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication.
Vulnerability
The vulnerability affects all supported versions of Citrix ADC and Citrix Gateway products. As Citrix did not disclose many details about the vulnerability, the mitigation steps suggest the VPN handler fails to sufficiently sanitize user-supplied inputs. The exploit attempt would include HTTP requests with ‘/../’ and ‘/vpns/’ in the URL. The responder policy rule checks for string “/vpns/” and if user is connected to the SSLVPN, and sends a 403 response as seen below.
add responder policy ctx267027 “HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(”/vpns/”) && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(”/../”))” respondwith403
Detecting CVE-2019-19781
Qualys has issued QID 372305 for Qualys Vulnerability Management that covers authentication and remote vulnerabilities present in affected Citrix products. This QID is included in signature version VULNSIGS-2.4.788-2.
QID 372305 : Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability (CTX267027)
The QID contains a remote and an authenticated signature to check the presence of vulnerability in Citrix Products.
You can search for this new QID in AssetView or within the VM Dashboard by using the following QQL query:
vulnerabilities.vulnerability.qid:372305
vulnerabilities.vulnerability.cveId:`CVE-2019-19781`
This will return a list of all impacted hosts.
You can also create a Dashboard to track all Citrix vulnerabilities as shown in the template below:
Finding Vulnerable Hosts
The fastest way to locate vulnerable hosts is though the Qualys Threat Protection Live Feed as seen here:
Simply click on the Impacted Assets number to see a list of hosts with this vulnerability.
Mitigation
Customers are recommended to apply Citrix’s Mitigation Steps for CVE-2019-19781 as soon as possible. Also, customers can check their systems for exploit attempts using “grep” for requests that contain “vpns” and “..”.
Qualys customers can scan their network with QID 372305 to detect vulnerable assets.
- NSA Announces Sandworm Actors Exploiting Exim MTA Vulnerability (CVE-2019-10149)
- Automatically Discover, Prioritize and Remediate Windows Adobe Type Manager Library Remote Code Execution Vulnerability (ADV200006) using Qualys VMDR
- Microsoft Released Out-of-Band Advisory – Windows Adobe Type Manager Library Remote Code Execution Vulnerability (ADV200006)
*** This is a Security Bloggers Network syndicated blog from The Laws of Vulnerabilities – Qualys Blog authored by Animesh Jain. Read the original post at: https://blog.qualys.com/laws-of-vulnerabilities/2020/01/08/citrix-adc-and-gateway-remote-code-execution-vulnerability-cve-2019-19781
