Additional NetScaler Vulnerabiliy to CVE-2019-19781: Citrix Exploit 2



Information from Citrix Technology Professional Matthias Schlimm:


Hello everybody,   An additional vulnerability was found in 2 HTTP HEADERN today, following CVE-2019-19781 from December 2019, i.e. All systems that have already passed the "Mitgation Steps from article https://support.citrix.com/article/CTX267679" cannot avoid making another change. Unfortunately, there is currently no official blog or supplement from Citrix available, so I can only share what I have received from Citrix sources here:     --snip --- There is a new attack against the CVE, it seems like it can exploit using 2 headers. You can read more about here: https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/I’ve updated my responder policy expression with:   HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS (“/ vpns /“) && (! CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS (“/../“)) || http.req.header (“NSC_USER”). Contains (“/../“) || http.req.header ( "NSC_NONCE"). Contains ( ". pl")   --snap-   Therefore, please carry out the following additional steps on the Netscaler Gateway and thus create another responder policy for the 2 headers:  
add responder policy resp_pol_ctx267027_2 "HTTP.REQ.HEADER(\"NSC_USER\").CONTAINS(\"/../\") || HTTP.REQ.HEADER(\"NSC_NONCE\").CONTAINS(\".pl\") " respondwith403

bind responder global resp_pol_ctx267027_2 2 END -type REQ_OVERRIDE
save config  

  The following article can be used to determine whether an attack has occurred to date:

https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/
An official patch is expected for individual systems depending on the firmware for January 20, see
https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix- gateway vulnerability /
CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway https://support.citrix.com/article/CTX267027   Important: When using a VPX 50, responder or rewrite feature are not licensed, here you have to wait for the firmware from Citrix.

Comments

Popular posts from this blog

Export a list of all XenApp 7.x published applications via Powershell

Implementing Single Sign On with NetScaler and Kerberos Constrained Delegation (KCD)

Remote use of Microsoft SysInternals: example Procdump