Attacker Value
Very High
(6 users assessed)
Exploitability
Very High
(6 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2019-19781

Disclosure Date: November 05, 2019
Exploited in the Wild
Reported by AttackerKB Worker and 1 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

Add Assessment

6
Ratings
Technical Analysis

AWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.

At the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.

If you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs

5
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

This vulnerability appears to be based on a web request to a /vpns/ resource containing a directory traversal reference. The traversal reference seems to grant access to the admin portal. This specifically is blocked by the skip_systemaccess_policyeval flag in the interim fix published by Citrix. Based on what information is available publicly, the vulnerability can be exploited to gain code execution on the Citrix server without authentication information. This would be very useful to an attacker because it could be exploited remotely, without authentication and due to the nature of Citrix servers often having a lot of traffic which could facilitate an attacker’s efforts to obfuscate their activity.

In some environments, Cirtix servers may not be patched as frequently as other systems due to their mission critical nature of providing applications for external users. In this case, attackers may have an easier time in escalating their privileges once code execution has been obtained. This would only be necessary if the initial vector did not already yield NT_AUTHORITY\SYSTEM privileges which the current information does not specify.

2
Ratings
Technical Analysis

Numerous public reporting on this being leveraged to enter org perimeter appliance.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

There are now public exploits for this and it is now reliable and low-risk to exploit. More info at https://www.reddit.com/r/blueteamsec/comments/en4m7j/multiple_exploits_for_cve201919781_citrix which is a pretty reasonable approximation for how this AKB entry would ideally look :) Also of note, https://twitter.com/buffaloverflow/status/1216807963974938624 mentions a number of files of interest to an attacker.

2
Ratings
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP
  • Mitigation: Update affected Citrix devices with the latest security patches
2
Ratings
Technical Analysis

Update: As of July 2021, CISA has marked this as the most heavily exploited vulnerability in 2020 as noted at https://us-cert.cisa.gov/ncas/alerts/aa21-209a. If you haven’t patched this already and you have publicly facing servers, then you should probably assume they have been compromised given the heavy exploitation of this vulnerability in the wild.

This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • citrix

Products

  • application delivery controller firmware 10.5,
  • application delivery controller firmware 11.1,
  • application delivery controller firmware 12.0,
  • application delivery controller firmware 12.1,
  • application delivery controller firmware 13.0,
  • gateway firmware 13.0,
  • netscaler gateway firmware 10.5,
  • netscaler gateway firmware 11.1,
  • netscaler gateway firmware 12.0,
  • netscaler gateway firmware 12.1

Exploited in the Wild

Reported by:
Technical Analysis