How to check, if your NetScaler is affected by CVE-2019-19781: Citrix Exploit 1 and 2

-
You can check if your NetScaler is affected by CVE-2019-19781 with following commands:

Indicators of compromise

To get an idea wether your Citrix ADC is compromised I’d recommend to perform (at least!) the following steps

Template files

The exploits all write files to two different directories. Scan those via:
shell ls /netscaler/portal/templates/*.xml
shell ls /var/tmp/netscaler/portal/templates
shell ls /var/vpn/bookmark/*.xml

If you find files similar to the following you are likely to be compromised

Apache Log files

In addition, attempts to exploit the system leave traces in the Apache httpaccess log files. Those you can validate via:
shell cat /var/log/httpaccess.log | grep vpns | grep xml
shell cat /var/log/httpaccess.log | grep "/\.\./"
shell gzcat /var/log/httpaccess.log.*.gz | grep vpns | grep xml
shell gzcat /var/log/httpaccess.log.*.gz | grep "/\.\./"

The following output is found on a system that was exploited:

However, a guarantee can never been given as attackers also might clean up their traces of the initial exploitation. A few more things to validate are…

Cron jobs

Attackers have been observed to obtain persistent access via scheduled tasks (“cron jobs” in Linux/BSD) to maintain their access even if the vulnerability gets patched. Check your crontab file for anomalies:
shell cat /etc/crontab
shell crontab -l -u nobody


The following is the output of a non-compromised system for you to compare:

Backdoor scripts

Running backdoors or other malicious tasks are often executed as Perl or Python scripts. Check for the presence of active running Perl or Python tasks:
shell ps -aux | grep python
shell ps -aux | grep perl



If you see more then the “grep” commands itself check the running scripts.

But beware, several Citrix ADC system-native tasks might appear as well. Some run scheduled so run the query again a few seconds later. Some are permanent (custom monitoring scripts for Storefront for example). Check those scripts to make sure they weren’t altered.

Crypto miners

Several attacks have been observed to install crypto miners. You can identifiy those by looking at the CPU intense processes by running:
shell top -n 10

Should you see any other processes but NSPPE-xx displaying high CPU usage you might have found a crypto miner:

Firewall

In addition to Citrix ADC local indicators observe your surrounding firewalls for any irregular traffic. Most likely attackers will use the Citrix ADC as a jump host to penetrate the network further.

Firmware updates

Citrix currently has no patch available – however, according to a recent blog post Citrix announced release dates for a permanent fix throughout January.
The announced release dates are:
13.0
27.1.2020
12.1
27.1.2020
12.0
20.1.2020
11.1
20.1.2020
10.5
31.1.2020
I recommend to schedule an update ASAP after release and monitor the official advisory closely!

Comments

Post a Comment

Popular posts from this blog

Export a list of all XenApp 7.x published applications via Powershell

-
Image
If you want to export a list of all published applications used in your environment you can do this with PowerShell. First add the Citrix PowerShell snapin: asnp Citrix.* Then run the Command which will export a TXT File which contains the Published Name and the Application Name. This can be extended to almost anything you need. More parameters you'll find in the Citrix Developer Documentation: https://developer-docs.citrix.com/projects/delivery-controller-sdk/en/7.17/Broker/Get-BrokerApplication/ MaxRecordCount 300 extends the output to 300 objects. The default value is 250. If you have more then 250 Applications you need this value.  Get-Brokerapplication -MaxRecordCount 300 | Select-Object PublishedName,ApplicationName | fl >c:\application.txt Then you'll find the TXT file in your specified output folder: It will be displayed like this:
Read more

Implementing Single Sign On with NetScaler and Kerberos Constrained Delegation (KCD)

-
Image
I wrote a manual how you can realize a Single Sign on Solution with Kerberos KCD and NetScaler. It's possible to restrict the user delegation to certain services/protocols on a server. You'll need this if NetScaler is not knowing the user password. If it knows the user password you can realize the SSO with Kerberos Impersonation. This will be an extra post. Let's start with creating a KCD account. 1. Create KCD Accounts Create KCD Account in AD Password never expires should be chosen 1.1    Enable the delegation tab for this user You can activate it with setspn ( It is available if you have the Active Directory Domain Services (AD DS) server role installed) Needs to be run from an elevated command prompt setspn -A host/KCDTest@simon.ns simon\KCDTest 1.2 Choose the delegation option Here you need to chose "Trust this user for delegation to specified services only" and also "use any authentication protocol".
Read more

How to: Create a Client Certificate for LDAPS with OpenSSL

-
Image
Today I will introduce you my new article on how to create a client certificate with OpenSSL so that you can use it for LDAPS You need to create two files in your new folder which we will need later on (I prefer notepad++ for the creation of my files): 1             1.  Your request.inf file 2             2.  Your v3ext.txt file 1.     Request.inf (save as .inf with notepad++) [Version]  Signature="$Windows NT$"  [NewRequest]  Subject = "CN= your-active-diretory.fqdn” f.ex : “simonAD.testinfo.com” (enter the FQDN of your AD Server)  KeySpec = 1  KeyLength = 2048 (enter the key length with fits your need. Some say you need to take at leas 2048 to make LDAPS work)  Exportable = TRUE  MachineKeySet = TRUE  SMIME = FALSE  PrivateKeyArchive = FALSE  UserProtected = FALSE  UseExistingKeySet = FALSE  ProviderName = "Microsoft RSA SChannel Cryptographic Provider"  ProviderType = 12  RequestType = PKCS10  KeyUsage = 0
Read more