Additional NetScaler Vulnerabiliy to CVE-2019-19781: Citrix Exploit 2

-


Information from Citrix Technology Professional Matthias Schlimm:


Hello everybody,   An additional vulnerability was found in 2 HTTP HEADERN today, following CVE-2019-19781 from December 2019, i.e. All systems that have already passed the "Mitgation Steps from article https://support.citrix.com/article/CTX267679" cannot avoid making another change. Unfortunately, there is currently no official blog or supplement from Citrix available, so I can only share what I have received from Citrix sources here:     --snip --- There is a new attack against the CVE, it seems like it can exploit using 2 headers. You can read more about here: https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/I’ve updated my responder policy expression with:   HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS (“/ vpns /“) && (! CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS (“/../“)) || http.req.header (“NSC_USER”). Contains (“/../“) || http.req.header ( "NSC_NONCE"). Contains ( ". pl")   --snap-   Therefore, please carry out the following additional steps on the Netscaler Gateway and thus create another responder policy for the 2 headers:  
add responder policy resp_pol_ctx267027_2 "HTTP.REQ.HEADER(\"NSC_USER\").CONTAINS(\"/../\") || HTTP.REQ.HEADER(\"NSC_NONCE\").CONTAINS(\".pl\") " respondwith403

bind responder global resp_pol_ctx267027_2 2 END -type REQ_OVERRIDE
save config  

  The following article can be used to determine whether an attack has occurred to date:

https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/
An official patch is expected for individual systems depending on the firmware for January 20, see
https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix- gateway vulnerability /
CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway https://support.citrix.com/article/CTX267027   Important: When using a VPX 50, responder or rewrite feature are not licensed, here you have to wait for the firmware from Citrix.

Comments

Post a Comment

Popular posts from this blog

Export a list of all XenApp 7.x published applications via Powershell

-
Image
If you want to export a list of all published applications used in your environment you can do this with PowerShell. First add the Citrix PowerShell snapin: asnp Citrix.* Then run the Command which will export a TXT File which contains the Published Name and the Application Name. This can be extended to almost anything you need. More parameters you'll find in the Citrix Developer Documentation: https://developer-docs.citrix.com/projects/delivery-controller-sdk/en/7.17/Broker/Get-BrokerApplication/ MaxRecordCount 300 extends the output to 300 objects. The default value is 250. If you have more then 250 Applications you need this value.  Get-Brokerapplication -MaxRecordCount 300 | Select-Object PublishedName,ApplicationName | fl >c:\application.txt Then you'll find the TXT file in your specified output folder: It will be displayed like this:
Read more

Implementing Single Sign On with NetScaler and Kerberos Constrained Delegation (KCD)

-
Image
I wrote a manual how you can realize a Single Sign on Solution with Kerberos KCD and NetScaler. It's possible to restrict the user delegation to certain services/protocols on a server. You'll need this if NetScaler is not knowing the user password. If it knows the user password you can realize the SSO with Kerberos Impersonation. This will be an extra post. Let's start with creating a KCD account. 1. Create KCD Accounts Create KCD Account in AD Password never expires should be chosen 1.1    Enable the delegation tab for this user You can activate it with setspn ( It is available if you have the Active Directory Domain Services (AD DS) server role installed) Needs to be run from an elevated command prompt setspn -A host/KCDTest@simon.ns simon\KCDTest 1.2 Choose the delegation option Here you need to chose "Trust this user for delegation to specified services only" and also "use any authentication protocol".
Read more

How to: Create a Client Certificate for LDAPS with OpenSSL

-
Image
Today I will introduce you my new article on how to create a client certificate with OpenSSL so that you can use it for LDAPS You need to create two files in your new folder which we will need later on (I prefer notepad++ for the creation of my files): 1             1.  Your request.inf file 2             2.  Your v3ext.txt file 1.     Request.inf (save as .inf with notepad++) [Version]  Signature="$Windows NT$"  [NewRequest]  Subject = "CN= your-active-diretory.fqdn” f.ex : “simonAD.testinfo.com” (enter the FQDN of your AD Server)  KeySpec = 1  KeyLength = 2048 (enter the key length with fits your need. Some say you need to take at leas 2048 to make LDAPS work)  Exportable = TRUE  MachineKeySet = TRUE  SMIME = FALSE  PrivateKeyArchive = FALSE  UserProtected = FALSE  UseExistingKeySet = FALSE  ProviderName = "Microsoft RSA SChannel Cryptographic Provider"  ProviderType = 12  RequestType = PKCS10  KeyUsage = 0
Read more