General Disclosure
A directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used to append files in an XML format to the victim machine. This in turn allows for remote code execution. It't going public on 17 December 2019.
POC
If you want to test to see if this exposure is mitigated use the following:
curl https://host/vpn/../vpns/cfg/smb.conf --path-as-is
Either a 403 means that you are patched or if it returns a Citrix website and NOT the smb.conf file itself. If you can see smb.conf, then you are vulnerable.
There is also a POC available on github: https://github.com/trustedsec/cve-2019-19781
Affected Systems
Here is a list of the operating systems we have tested which are vulnerable to this attack:
- Citrix ADC and Citrix Gateway version 13.0 all supported builds
Citrix ADC and NetScaler Gateway version 12.1 all supported builds
Citrix ADC and NetScaler Gateway version 12.0 all supported builds
Citrix ADC and NetScaler Gateway version 11.1 all supported builds
Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
Possible Mitigations
Citrix has published a possible mitigation on there website. https://support.citrix.com/article/CTX267679
Infections
- Medisch Centrum Leeuwarden (15 January 2020)
References
- Citrix
- Nist
- NCSC (Dutch)
- Tweakers (Dutch)
- Media