Attacker Value
Very High
0

CVE-2019-19781

Disclosure Date: November 05, 2019

Exploitability

(5 users assessed) Very High
Attack Vector
Network
Privileges Required
None
User Interaction
None

Description

An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

Add Assessment

6
Ratings
Technical Analysis

AWS had pre built AMIs for these appliances built and supplied to the market place by Citrix.

At the time of release and for several weeks afterwards, they were still available in their default vulnerable state. Whilst AWS have removed the vulnerable images any AWS account that subscribed to a specific AMI will still have the default vulnerable version.

If you use this kind of setup it is important to remove any old AMIs and replace them, do not assume that patches will be applied to exising AMIs

5
Ratings
  • Attacker Value
    High
  • Exploitability
    Very High
Technical Analysis

This vulnerability appears to be based on a web request to a /vpns/ resource containing a directory traversal reference. The traversal reference seems to grant access to the admin portal. This specifically is blocked by the skip_systemaccess_policyeval flag in the interim fix published by Citrix. Based on what information is available publicly, the vulnerability can be exploited to gain code execution on the Citrix server without authentication information. This would be very useful to an attacker because it could be exploited remotely, without authentication and due to the nature of Citrix servers often having a lot of traffic which could facilitate an attacker’s efforts to obfuscate their activity.

In some environments, Cirtix servers may not be patched as frequently as other systems due to their mission critical nature of providing applications for external users. In this case, attackers may have an easier time in escalating their privileges once code execution has been obtained. This would only be necessary if the initial vector did not already yield NT_AUTHORITY\SYSTEM privileges which the current information does not specify.

2
Ratings
Technical Analysis

Numerous public reporting on this being leveraged to enter org perimeter appliance.

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

There are now public exploits for this and it is now reliable and low-risk to exploit. More info at https://www.reddit.com/r/blueteamsec/comments/en4m7j/multiple_exploits_for_cve201919781_citrix which is a pretty reasonable approximation for how this AKB entry would ideally look :) Also of note, https://twitter.com/buffaloverflow/status/1216807963974938624 mentions a number of files of interest to an attacker.

2
Ratings
Technical Analysis

This CVE made it into US-CERT’s “Top 10” bulletin released in May, 2020 – https://www.us-cert.gov/ncas/alerts/aa20-133a / https://web.archive.org/web/20200512161248/https://www.us-cert.gov/ncas/alerts/aa20-133a

  • Vulnerable Products: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SDWAN WANOP
  • Mitigation: Update affected Citrix devices with the latest security patches
Technical Analysis