Additional NetScaler Vulnerabiliy to CVE-2019-19781: Citrix Exploit 2
Information from Citrix Technology Professional Matthias Schlimm:
Hello everybody, An additional vulnerability was found in 2 HTTP HEADERN today, following CVE-2019-19781 from December 2019, i.e. All systems that have already passed the "Mitgation Steps from article https://support.citrix.com/article/CTX267679" cannot avoid making another change. Unfortunately, there is currently no official blog or supplement from Citrix available, so I can only share what I have received from Citrix sources here: --snip --- There is a new attack against the CVE, it seems like it can exploit using 2 headers. You can read more about here: https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/I’ve updated my responder policy expression with: HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS (“/ vpns /“) && (! CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS (“/../“)) || http.req.header (“NSC_USER”). Contains (“/../“) || http.req.header ( "NSC_NONCE"). Contains ( ". pl") --snap- Therefore, please carry out the following additional steps on the Netscaler Gateway and thus create another responder policy for the 2 headers:
add responder policy resp_pol_ctx267027_2 "HTTP.REQ.HEADER(\"NSC_USER\").CONTAINS(\"/../\") ||
HTTP.REQ.HEADER(\"NSC_NONCE\").CONTAINS(\".pl\") "
respondwith403
bind responder global resp_pol_ctx267027_2 2 END -type
REQ_OVERRIDE
save config
The following article can be used to determine whether an attack has occurred to date:
https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/
An official patch is expected for individual systems depending on the firmware for January 20, see
https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix- gateway vulnerability /
CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway https://support.citrix.com/article/CTX267027 Important: When using a VPX 50, responder or rewrite feature are not licensed, here you have to wait for the firmware from Citrix.
Comments
Post a Comment