Additional NetScaler Vulnerabiliy to CVE-2019-19781: Citrix Exploit 2

Information from Citrix Technology Professional Matthias Schlimm:

Hello everybody,   An additional vulnerability was found in 2 HTTP HEADERN today, following CVE-2019-19781 from December 2019, i.e. All systems that have already passed the "Mitgation Steps from article" cannot avoid making another change. Unfortunately, there is currently no official blog or supplement from Citrix available, so I can only share what I have received from Citrix sources here:     --snip --- There is a new attack against the CVE, it seems like it can exploit using 2 headers. You can read more about here:’ve updated my responder policy expression with:   HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS (“/ vpns /“) && (! CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS (“/../“)) || http.req.header (“NSC_USER”). Contains (“/../“) || http.req.header ( "NSC_NONCE"). Contains ( ". pl")   --snap-   Therefore, please carry out the following additional steps on the Netscaler Gateway and thus create another responder policy for the 2 headers:  
add responder policy resp_pol_ctx267027_2 "HTTP.REQ.HEADER(\"NSC_USER\").CONTAINS(\"/../\") || HTTP.REQ.HEADER(\"NSC_NONCE\").CONTAINS(\".pl\") " respondwith403

bind responder global resp_pol_ctx267027_2 2 END -type REQ_OVERRIDE
save config  

  The following article can be used to determine whether an attack has occurred to date:
An official patch is expected for individual systems depending on the firmware for January 20, see gateway vulnerability /
CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway   Important: When using a VPX 50, responder or rewrite feature are not licensed, here you have to wait for the firmware from Citrix.


Popular posts from this blog

Export a list of all XenApp 7.x published applications via Powershell

Remote use of Microsoft SysInternals: example Procdump

Implementing Single Sign On with NetScaler and Kerberos Constrained Delegation (KCD)