Citrix released a security advisory (CVE-2019-19781) for a remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication.
The vulnerability affects all supported versions of Citrix ADC and Citrix Gateway products. As Citrix did not disclose many details about the vulnerability, the mitigation steps suggest the VPN handler fails to sufficiently sanitize user-supplied inputs. The exploit attempt would include HTTP requests with ‘/../’ and ‘/vpns/’ in the URL. The responder policy rule checks for string “/vpns/” and if user is connected to the SSLVPN, and sends a 403 response as seen below.
add responder policy ctx267027 “HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(”/vpns/”) && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(”/../”))” respondwith403
Qualys has issued QID 372305 for Qualys Vulnerability Management that covers authentication and remote vulnerabilities present in affected Citrix products. This QID is included in signature version VULNSIGS-2.4.788-2.
QID 372305 : Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability (CTX267027)
The QID contains a remote and an authenticated signature to check the presence of vulnerability in Citrix Products.
You can search for this new QID in AssetView or within the VM Dashboard by using the following QQL query:
vulnerabilities.vulnerability.qid:372305
vulnerabilities.vulnerability.cveId:`CVE-2019-19781`
This will return a list of all impacted hosts.
You can also create a Dashboard to track all Citrix vulnerabilities as shown in the template below:
The fastest way to locate vulnerable hosts is though the Qualys Threat Protection Live Feed as seen here:
Simply click on the Impacted Assets number to see a list of hosts with this vulnerability.
Customers are recommended to apply Citrix’s Mitigation Steps for CVE-2019-19781 as soon as possible. Also, customers can check their systems for exploit attempts using “grep” for requests that contain “vpns” and “..”.
Qualys customers can scan their network with QID 372305 to detect vulnerable assets.
*** This is a Security Bloggers Network syndicated blog from The Laws of Vulnerabilities – Qualys Blog authored by Animesh Jain. Read the original post at: https://blog.qualys.com/laws-of-vulnerabilities/2020/01/08/citrix-adc-and-gateway-remote-code-execution-vulnerability-cve-2019-19781
Authors/Presenters: *Cheng-Long Wang, Mengdi Huai, Di Wang* Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content,…
Security testing allows you to evaluate the robustness of applications and systems and identify potential weaknesses that attackers may exploit.…
Did you know that the total number of data breaches more than tripled between 2013 and 2022? These breaches exposed…
PHP Extended Lifecycle Support (ELS) allows you to continue using older versions of PHP while still receiving security updates for…
In light of cookie stealing attacks and to ensure Chrome browser protection, Google has recently piloted its new Chrome DBSC.…
Our digital world is based on connectivity, but with that comes great responsibility. Businesses manage vast amounts of client information.…