[German]Citrix developers have now released further firmware updates to close the vulnerabilities reported before Christmas 2019. There is also a scanner to detect Citrix systems compromised via the CVE-2019-19781 vulnerability. And there is a critical vulnerability in Cisco Firepower.
Citrix vulnerability CVE-2019-19781
A vulnerability (CVE-2019-19781) exists in the Citrix Application Delivery Controller (ADC), formerly NetScaler ADC, and in Citrix Gateway, formerly NetScaler Gateway, that could allow attackers to execute unwanted code. If this vulnerability is exploited, attackers can gain direct access to the corporate local network from the Internet. This attack does not require access to any accounts and therefore can be executed by any remote attacker. I first reported the vulnerability in Citrix products before Christmas 2019 in the blog post Vulnerability in Citrix Apps put companies at risk.
Firmware updates for Citrix products
The first firmware update for the Citrix ADC/Netscaler 11.1/12.0 was released on January 19, 2020, and Citrix has also published a blog entry on the topic of Vulnerability Update: First permanent fixes available, timeline accelerated. Permanent fixes for the ADC versions 11.1 and 12.0 are available for download here and here.
I had reported patches for Citrix ADC/Netscaler 11.1/12.0 available (19.1.2020) in the blog post Citrix ADC/Netscaler patches 11.1/12.0 released (01/19/2020), for more details see the Citrix blog post. There the release dates and the versions for the updates are listed.
The permanent security patch / firmware for @Citrix CVE-2019-19781 is now available for all versions: 11.0, 11.1, 12.0, 12.1 and 13.0 Happy updating! https://t.co/q0PNaR8EpL #CitrixADC #NetScalerRocks pic.twitter.com/V2vkp0E0If
— Anton van Pelt (@AntonvanPelt) January 23, 2020
According to the above tweet, firmware updates for all versions 11.0, 11.1, 12.0, 12.1 and 13.0 of the Citrix ADC are now released. In addition, firmware updates have been released for the versions of Citrix SD-WAN WANOP affected by the CVE-2019-19781 vulnerability. The fixes are available here. Administrators should install the updates immediately.
— BleepingComputer (@BleepinComputer) January 24, 2020
Addendum: According to the above tweet, Citrix has now released updates for all Citrix products affected by the vulnerability.
Scanner to detect hacked Citrix systems
The problem is that Citrix provided a workaround but no patch to close the vulnerability after it was disclosed. Many Citrix ADC/Netscaler have been 'open' for over a month and may already have been compromised by malware.
Citrix has released a scanner these days to scan for compromised Citrix devices. The whole thing is a shell script that is available on GitHub and should run directly on the appliances. Bleeping Computer has an article about that scanner.
CVE-2019-16028 vulnerability in Cisco Firepower
Cisco Firepower is a firewall designed to detect security breaches and stop threats. However, there is a CVE-2019-16028 vulnerability in LDAP authentication, which Cisco has identified as critical, that Cisco is warning about. A vulnerability in the Cisco Firepower Management Center (FMC) web-based management interface could allow an unauthenticated remote attacker to bypass authentication and perform arbitrary actions with administrative privileges on an affected device.
The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. An attacker could exploit this vulnerability by sending finished HTTP requests to an affected device. A successful attack could allow the attacker to gain administrative access to the affected device's Web-based management interface. Cisco has issued a software update to close this vulnerability.
Vulnerability in Citrix Apps put companies at risk
PoC for Citrix ADC/Netscaler vulnerability CVE-2019-19781
Further actions required for Citrix Netscaler vulnerability
Citrix ADC/Netscaler patches 11.1/12.0 released (01/19/2020)
Cookies helps to fund this blog: Cookie settings