What a start to the new year 2020, or Christmas for that fact, when the Vulnerability CVE-2019-19781 was discovered, opening a backdoor into the netscaler /ADC. At first, Citrix released a workaround to apply a responder policy to block any hacking attempt and then a patch was released on the 19th January for ADC versions 11.0 and 12.0 and later on the 23rd they patch releases for 12.1 and 13x. At our firm and using NMAS or ADC we were able to fun the responded policy and run firmware upgrades in just a couple of hours globally.
Detection: You will need to run
Perform a GET request to: https://{host}/vpn/../vpns/
If you get a 200 OK, This is bad and your open.
Check response for “You don’t have permission to access /vpns/” or 403
To detect a compromise on SSL VPN configurations, review Citrix web request logs for:
- HTTP log messages starting with “/vpn/../” containing directory traversal attacks such as “/vpn/../vpns/portal/scripts/newbm.pl” or “/vpn/../vpns/cfg/smb.conf” or “/vpn/../vpns/portal/scripts/newbm.pl”
- A direct request logged to “/vpns/” without the xml specified
- A POST followed by a GET to an XML file
The Responder policy
add responder action respondwith403 respondwith “\”HTTP/1.1 403 Forbidden\r\n\r\n\””
add responder policy ctx267027 “HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\”/vpns/\”) && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\”/../\”))” respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
Firmware Patch:
In order to fix the issue, you will need to apply the following firmware updates:
| Version | Refresh Build | Release Date |
| 10.5 | 10.5.70.12 | 24th January 2020 |
| 11.1 | 11.1.63.15 | 19th January 2020 |
| 12.0 | 12.0.63.13 | 19th January 2020 |
| 12.1 | 12.1.55.18 | 23rd January 2020 |
| 13.0 | 13.0.47.24 | 23rd January 2020 |
Testing:
Citrix released a verifcation tool which you can use to test your enviroment: https://support.citrix.com/article/CTX269180
Other Venders offer the service for a fee.
More information: