Very High
CVE-2019-19781
CVE-2019-19781
Description
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.
Add Assessment
Technical Analysis
AWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.
At the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.
If you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs
Technical Analysis
This vulnerability appears to be based on a web request to a /vpns/ resource containing a directory traversal reference. The traversal reference seems to grant access to the admin portal. This specifically is blocked by the skip_systemaccess_policyeval flag in the interim fix published by Citrix. Based on what information is available publicly, the vulnerability can be exploited to gain code execution on the Citrix server without authentication information. This would be very useful to an attacker because it could be exploited remotely, without authentication and due to the nature of Citrix servers often having a lot of traffic which could facilitate an attacker’s efforts to obfuscate their activity.
In some environments, Cirtix servers may not be patched as frequently as other systems due to their mission critical nature of providing applications for external users. In this case, attackers may have an easier time in escalating their privileges once code execution has been obtained. This would only be necessary if the initial vector did not already yield NT_AUTHORITY\SYSTEM privileges which the current information does not specify.
Technical Analysis
Numerous public reporting on this being leveraged to enter org perimeter appliance.
Technical Analysis
There are now public exploits for this and it is now reliable and low-risk to exploit. More info at https://www.reddit.com/r/blueteamsec/comments/en4m7j/multiple_exploits_for_cve201919781_citrix which is a pretty reasonable approximation for how this AKB entry would ideally look :) Also of note, https://twitter.com/buffaloverflow/status/1216807963974938624 mentions a number of files of interest to an attacker.
Technical Analysis
This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a
- Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP
- Mitigation: Update affected Citrix devices with the latest security patches
Technical Analysis
Update: As of July 2021, CISA has marked this as the most heavily exploited vulnerability in 2020 as noted at https://us-cert.cisa.gov/ncas/alerts/aa21-209a. If you haven’t patched this already and you have publicly facing servers, then you should probably assume they have been compromised given the heavy exploitation of this vulnerability in the wild.
This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
CVSS V3 Severity and Metrics
General Information
Vendors
- citrix
Products
- application delivery controller firmware 10.5,
- application delivery controller firmware 11.1,
- application delivery controller firmware 12.0,
- application delivery controller firmware 12.1,
- application delivery controller firmware 13.0,
- gateway firmware 13.0,
- netscaler gateway firmware 10.5,
- netscaler gateway firmware 11.1,
- netscaler gateway firmware 12.0,
- netscaler gateway firmware 12.1
Metasploit Modules
Exploited in the Wild
References
Miscellaneous
