Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Rechercher Ressource - BlogRessource - WebinaireRessource - RapportRessource - Événementicons_066 icons_067icons_068icons_069icons_070

Blog Tenable

S'abonner
  • Twitter
  • Facebook
  • LinkedIn

CVE-2019-19781 : Critical Vulnerability in Citrix ADC and Gateway Sees Active Exploitation While Patches are Still Not Available

CVE-2019-19781 : Critical Vulnerability in Citrix ADC and Gateway Sees Active Exploitation While Patches are Still Not Available

Following the release of exploit scripts for a critical flaw in Citrix Application Delivery Controller (ADC) and Gateway, attackers launch attacks against vulnerable hosts, while Citrix announces release date for patches

UPDATE 01/24/2020: This blog post has been updated to reflect the availability of patches released by Citrix.

Background

Attacks Increase After Exploit Scripts Released

On January 10, Tenable Security Response observed exploit scripts for CVE-2019-19781, a critical vulnerability in Citrix ADC and Gateway (formerly known as NetScaler ADC and NetScaler Gateway) had been published to GitHub. Soon after, reports of increased exploitation attempts against vulnerable hosts emerged.

According to SANS Internet Storm Center, the released exploit scripts have been “heavily used,” as they observed a spike in exploitation attempts against their honeypots.

Citrix Updates Support Article with Patch Release Dates

On January 11, Citrix updated their support article for the vulnerability, announcing plans to release patches for Citrix ADC and Gateway near the end of January.

Thousands of Citrix ADC and Gateway Endpoints Remain Vulnerable

On January 12, Troy Mursch, chief research officer at Bad Packets published a blog with statistics showing that over 25,000 Citrix ADC and Gateway endpoints were vulnerable to CVE-2019-19781. Mursch used BinaryEdge to scan over 60,000 endpoints. Vulnerable endpoints included those in government agencies, education, healthcare, utilities, banking, and “numerous” Fortune 500 companies.

At that time, Mursch found that there were vulnerable hosts in over 122 countries, which were outlined in a graphic:

Source : Over 25,000 Citrix (Netscaler) Endpoints Vulnerable to CVE-2019-19781 (Troy Mursch)

Attackers Can Obtain LDAP Passwords, Cookies from Vulnerable Hosts

On January 13, Rich Warren, principal security consultant at NCC Group, identified additional avenues of exploitation for attackers targeting vulnerable ADC and Gateway hosts. According to Warren, attackers have the capability to read the /flash/nsconfig/ns.conf file, which could contain hashed Active Directory/Lightweight Directory Access Protocol (LDAP) credentials, including SHA512 passwords which are “easily crackable” using hashcat.

Additionally, Warren notes that attackers could access authenticated cookies from the path “/var/stmp/sess_*” which according to Warren can be reused by attackers.

On January 14, security researcher dozer published a blog detailing how one could decrypt values obtained from the Citrix configuration files, along with providing a Python script to perform the decryption.

On the same day, hashcat was updated with support for cracking the SHA512 hashes obtained from Citrix Netscaler in version 6.0.0.

Dutch Cybersecurity Centre Advises Shutting Down ADC and Gateway Servers, As Mitigation Steps Ineffective In Some Instances

On January 14, the Dutch National Cybersecurity Centre (NCSC) warned that many Dutch Citrix servers were vulnerable to attacks. On January 16, they published a follow-up saying the measures recommended by Citrix are “not always effective” as some of the mitigation steps don’t appear to work for certain devices.

Doubling down, the NCSC stressed that until a patch is available “there is currently no good, guaranteed reliable solution for all Citrix ADC and Citrix Gateway servers.” As a result, the NCSC made the recommendation to consider “switching off the Citrix ADC and Gateway servers” if the impact is acceptable. If not, they advise close monitoring for “possible abuse.”

Vigilante Applies Mitigation to Vulnerable ADC and Gateway Hosts, Maintains Backdoor

On January 16, researchers at FireEye published a blog regarding a peculiar observation in exploitation attempts against vulnerable ADC and Gateway hosts. According to FireEye, they’ve identified a threat actor that is blocking attempts to exploit the vulnerability, cleaning up previous malware infections on affected hosts, while also deploying their own backdoor called NOTROBIN.

The blog mentions that during one engagement, FireEye observed multiple threat actors had launched successful attacks against a vulnerable host. However, once NOTROBIN was installed on the host, they identified “more than a dozen exploitation attempts were thwarted by NOTROBIN.” FireEye concludes that the actor behind NOTROBIN compromising these devices may be doing so as they “prepare for an upcoming campaign.”

Proof of concept

There are currently several exploit scripts available on GitHub from TrustedSec, ProjectZeroIndia, and mpgn, as well as a script to check for vulnerable hosts from the United States Cybersecurity and Infrastructure Security Agency (CISA).

Vendor response

Since the publication of exploit scripts, Citrix has updated their support article multiple times, providing a timeline for patches, as well as additional information about newly affected products and a bug in certain releases of ADC that impacts the mitigation steps.

Following an investigation, Citrix says that CVE-2019-19781 also affects “certain deployments of Citrix SDWAN,” specifically the Citrix SD-WAN WANOP because they package it with Citrix ADC “as a load balancer.”

In addition to the newly affected product, Citrix has identified a bug affecting version 12.1 of Citrix ADC and Gateway that prevents their mitigation steps from blocking exploit attempts. According to Citrix, version 12.1 builds prior to 51.16/51.19 and 50.31 contain a bug that “affects responder and rewrite policies bound to VPN virtual servers.” If packets match policy rules the bug will prevent these systems from processing the packets. For those customers running a build of 12.1 prior to 51.16/51.19 or 50.31, it is recommended to update to a newer build in order to apply the mitigation steps until the patch is released on January 27.

Solution

At the time this blog was published, patches were still not available for this vulnerability. However, Citrix says they plan to release patches for Citrix ADC, NetScaler Gateway and SD-WAN WANOP before the end of January 2020.

The following table contains expected release dates of “refresh builds” for Citrix ADC and Gateway:

Produit Version Refresh Build Release Date
Citrix ADC and Gateway 11.1 11.1.63.15 January 19, 2020
Citrix ADC and Gateway 12.0 12.0.63.13 January 19, 2020
Citrix ADC and Gateway 12.1 12.1.55.18 January 23, 2020
Citrix ADC and Gateway 13.0 13.0.47.24 January 23, 2020
Citrix ADC and Gateway 10.5 10.5.70.x January 24, 2020

Separately, the following table contains expected release dates of the NetScaler releases for Citrix SD-WAN WANOP:

Produit Version NetScaler Release Release Date
Citrix SD-WAN WANOP 10.2.6b 11.1.51.615 January 22, 2020
Citrix SD-WAN WANOP 11.0.3b 11.1.51.615 January 22, 2020

Identification des systèmes affectés

Tenable Research has released a direct check plugin (ID 132752) to identify vulnerable assets in addition to the our version check plugin (ID 132397), which can be found here. Note that the version check plugin (ID 132397) requires enabling 'paranoid mode'.

Où trouver plus d'informations

Rejoignez l'équipe SRT de Tenable sur Tenable Community.

Apprenez-en plus sur Tenable, la première plateforme de Cyber Exposure qui vous permet de gérer votre surface d'attaque moderne de manière globale.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Articles connexes

Êtes-vous à la merci des derniers exploits ?

Indiquez votre adresse e-mail pour recevoir les dernières alertes de Cyber Exposure.

Essayer gratuitement Acheter dès maintenant
Tenable.io ESSAI GRATUIT PENDANT 30 JOURS

Bénéficiez d'un accès complet à une plateforme de gestion des vulnérabilités moderne hébergée dans le cloud qui vous permet de consulter l'ensemble de vos assets et d'en assurer le suivi, tout en bénéficiant d'une précision inégalée. Abonnez-vous dès maintenant.

Tenable.io ACHETER

Bénéficiez d'un accès complet à une plateforme de gestion des vulnérabilités moderne hébergée dans le cloud qui vous permet de consulter l'ensemble de vos assets et d'en assurer le suivi, tout en bénéficiant d'une précision inégalée. Souscrivez votre abonnement annuel dès aujourd'hui.

65 assets

Sélectionnez votre option d'abonnement :

Acheter maintenant
Essayer gratuitement Acheter dès maintenant

Essayer Nessus Professional gratuitement

GRATUIT PENDANT 7 JOURS

Nessus® est aujourd'hui le scanner de vulnérabilités le plus complet du marché. Nessus Professional vous donne les moyens d'automatiser le processus de scan des vulnérabilités, d'écourter vos cycles de mise en conformité et d'impliquer votre équipe IT.

Acheter Nessus Professional

Nessus® est aujourd'hui le scanner de vulnérabilités le plus complet du marché. Nessus Professional vous donne les moyens d'automatiser le processus de scan des vulnérabilités, d'écourter vos cycles de mise en conformité et d'impliquer votre équipe IT.

Achetez une licence pluriannuelle et faites des économies. Ajoutez l'assistance avancée pour bénéficier de l'accès 24 h/24, 7 j/7 à une assistance par téléphone, via la communauté et via le chat. Cliquez ici pour plus d'informations.

Essayer gratuitement Acheter dès maintenant

Essayer Tenable.io Web Application Scanning

GRATUIT PENDANT 30 JOURS

Profitez d'un accès complet à notre nouvelle offre Web Application Scanning conçue pour les applications modernes et s'intégrant à la plateforme Tenable.io. Scannez l'ensemble de votre portefeuille en toute sécurité et avec une grande précision, sans effort manuel important ni interruption des applications web stratégiques. Abonnez-vous dès maintenant.

Acheter Tenable.io Web Application Scanning

Bénéficiez d'un accès complet à une plateforme de gestion des vulnérabilités moderne hébergée dans le cloud qui vous permet de consulter l'ensemble de vos assets et d'en assurer le suivi, tout en bénéficiant d'une précision inégalée. Souscrivez votre abonnement annuel dès aujourd'hui.

5 FQDN

3 578,00 $

Acheter maintenant

Essayer gratuitement Contacter le service commercial

Essayer Tenable.io Container Security

GRATUIT PENDANT 30 JOURS

Profitez d'un accès complet à la seule offre de sécurité des conteneurs intégrée dans une plateforme de gestion des vulnérabilités. Surveillez les images de conteneur pour détecter d'éventuelles vulnérabilités, malwares ou violations des politiques. Intégrez la solution aux systèmes d'intégration et de déploiement continus (CI/CD) pour soutenir votre démarche DevOps, renforcer la sécurité et assurer la conformité aux politiques de l'entreprise.

Acheter Tenable.io Container Security

Tenable.io Container Security permet la mise en œuvre sécurisée et fluide de processus DevOps en fournissant une visibilité sur l'état de sécurité des images de conteneur, notamment en ce qui concerne les vulnérabilités, malwares et violations des politiques, par le biais d'une intégration au processus de compilation.

Essayer gratuitement Contacter le service commercial

Essayer Tenable Lumin

GRATUIT PENDANT 30 JOURS

Visualisez et explorez votre Cyber Exposure, suivez la réduction des risques au fil du temps et comparez-vous à vos pairs grâce à Tenable Lumin.

Acheter Tenable Lumin

Contactez un commercial pour découvrir comment Lumin peut vous aider à obtenir une visibilité sur l'ensemble de votre entreprise et à gérer votre cyber-risque.