Very High
CVE-2019-19781
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2019-19781
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
AWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.
At the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.
If you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueHigh
-
ExploitabilityVery High
Technical Analysis
This vulnerability appears to be based on a web request to a /vpns/
resource containing a directory traversal reference. The traversal reference seems to grant access to the admin portal. This specifically is blocked by the skip_systemaccess_policyeval
flag in the interim fix published by Citrix. Based on what information is available publicly, the vulnerability can be exploited to gain code execution on the Citrix server without authentication information. This would be very useful to an attacker because it could be exploited remotely, without authentication and due to the nature of Citrix servers often having a lot of traffic which could facilitate an attacker’s efforts to obfuscate their activity.
In some environments, Cirtix servers may not be patched as frequently as other systems due to their mission critical nature of providing applications for external users. In this case, attackers may have an easier time in escalating their privileges once code execution has been obtained. This would only be necessary if the initial vector did not already yield NT_AUTHORITY\SYSTEM
privileges which the current information does not specify.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
Numerous public reporting on this being leveraged to enter org perimeter appliance.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
There are now public exploits for this and it is now reliable and low-risk to exploit. More info at https://www.reddit.com/r/blueteamsec/comments/en4m7j/multiple_exploits_for_cve201919781_citrix which is a pretty reasonable approximation for how this AKB entry would ideally look :) Also of note, https://twitter.com/buffaloverflow/status/1216807963974938624 mentions a number of files of interest to an attacker.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a
- Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP
- Mitigation: Update affected Citrix devices with the latest security patches
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
Technical Analysis
Update: As of July 2021, CISA has marked this as the most heavily exploited vulnerability in 2020 as noted at https://us-cert.cisa.gov/ncas/alerts/aa21-209a. If you haven’t patched this already and you have publicly facing servers, then you should probably assume they have been compromised given the heavy exploitation of this vulnerability in the wild.
This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- citrix
Products
- application delivery controller firmware 10.5,
- application delivery controller firmware 11.1,
- application delivery controller firmware 12.0,
- application delivery controller firmware 12.1,
- application delivery controller firmware 13.0,
- gateway firmware 13.0,
- netscaler gateway firmware 10.5,
- netscaler gateway firmware 11.1,
- netscaler gateway firmware 12.0,
- netscaler gateway firmware 12.1
Metasploit Modules
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://us-cert.cisa.gov/ncas/alerts/aa21-209a)
- Other: 2020 Most Exploited Vulnerability Report (https://www.ic3.gov/Media/News/2021/210728.pdf)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: