{"id":12653,"date":"2020-01-17T13:23:07","date_gmt":"2020-01-17T12:23:07","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=12653"},"modified":"2020-01-17T13:23:42","modified_gmt":"2020-01-17T12:23:42","slug":"further-actions-required-for-citrix-netscaler-vulnerability","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/01\/17\/further-actions-required-for-citrix-netscaler-vulnerability\/","title":{"rendered":"Further actions required for Citrix Netscaler vulnerability"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/01\/17\/achtung-weiterer-nachbesserungsbedarf-bei-citrix-netscaler\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Another short collection for administrators who use the Citrix ADC (Application Delivery Controller, formerly Netscaler). The CVE-2019-19781 vulnerability has been exploited. In addition, other vulnerabilities and backdoors have been discovered. As there are no firmware updates available yet (coming next week), those affected will have to go back in and take measures to harden against the vulnerabilities and perform additional testing to ensure that the instances are not infected. <\/p>\n<p><!--more--><\/p>\n<h2>German BSI warns again about CVE-2019-19781 <\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg07.met.vgwort.de\/na\/7e23ce392fd94ef0a3b6d40cde03e2bc\" width=\"1\" height=\"1\">I have warned about the CVE-2019-19781 vulnerability several times here in this blog (see my linked posts at the end of this article). In the article <a href=\"https:\/\/borncity.com\/win\/2019\/12\/24\/schwachstelle-in-citrix-produkten-gefhrdet-firmen-netzwerke\/\">Vulnerability in Citrix Apps put companies at risk<\/a> there is even a hint for a scanner for the vulnerability. So we may assume, that every admin has finally taken action.&nbsp; <\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"de\" dir=\"ltr\">CVE-2019-19781: Dem BSI liegen Meldungen vor, nach denen <a href=\"https:\/\/twitter.com\/hashtag\/Citrix?src=hash&amp;ref_src=twsrc%5Etfw\">#Citrix<\/a>-Systeme erfolgreich angegriffen werden. Wir rufen Anwender erneut dringend auf, die Workarounds von Citrix umgehend umzusetzen! <a href=\"https:\/\/twitter.com\/hashtag\/CitrixADC?src=hash&amp;ref_src=twsrc%5Etfw\">#CitrixADC<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/CitrixGateway?src=hash&amp;ref_src=twsrc%5Etfw\">#CitrixGateway<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Netscaler?src=hash&amp;ref_src=twsrc%5Etfw\">#Netscaler<\/a> Mehr Infos hier: <a href=\"https:\/\/t.co\/kHwPolBAgD\">https:\/\/t.co\/kHwPolBAgD<\/a><\/p>\n<p>\u2014 BSI (@BSI_Bund) <a href=\"https:\/\/twitter.com\/BSI_Bund\/status\/1217887780543614977?ref_src=twsrc%5Etfw\">January 16, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preserveea5e2ffb800942699a5ba851e3da9e14\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>Apparently this is not the case, as German BSI feels compelled to issue a new warning in accordance with the above tweet. The German Federal Office for Information Security (BSI) has received numerous reports that Citrix systems have been successfully attacked. The BSI again urgently calls on administrators to immediately execute the mitigations provided by the manufacturer Citrix and not to wait for the security updates. Users who have not yet implemented the workaround measures should also check their Citrix systems directly connected to the Internet for a probable compromise.<\/p>\n<blockquote>\n<p>Tip: Blog reader Christian Demmerer had pointed out in <a href=\"https:\/\/www.borncity.com\/blog\/2020\/01\/13\/exploit-fr-citrix-adc-netscaler-schwachstelle-cve-2019-19781\/#comment-83010\" target=\"_blank\" rel=\"noopener noreferrer\">this German comment<\/a> that the countermeasures recommended by Citrix to mitigate the vulnerability do not work with some older firmware versions. There is a bug and Christian describes a solution (update the old firmware).&nbsp; <\/p>\n<\/blockquote>\n<h2>New checks required! <\/h2>\n<p>German blog reader Puchte pointed out within <a href=\"https:\/\/www.borncity.com\/blog\/2020\/01\/13\/exploit-fr-citrix-adc-netscaler-schwachstelle-cve-2019-19781\/#comment-83164\" target=\"_blank\" rel=\"noopener noreferrer\">this comment<\/a> that an additional vulnerability in 2 HTTP headers has been discovered in Citrix NetScaler. Since first Proof of Concept (PoC) exploits were published, attacks on the Citrix ADC have been detected. <\/p>\n<p><a href=\"https:\/\/isc.sans.edu\/diaryimages\/images\/Screen%20Shot%202020-01-11%20at%2010_20_51%20AM.png\" target=\"_blank\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" title=\"Honeypot Detects per Hour (Citrix ADC)\" alt=\"Honeypot Detects per Hour (Citrix ADC)\" src=\"https:\/\/isc.sans.edu\/diaryimages\/images\/Screen%20Shot%202020-01-11%20at%2010_20_51%20AM.png\" width=\"621\" height=\"283\"><\/a><br \/>(Citrix ADC Honeypot Detects per Hour, Source: <a href=\"https:\/\/isc.sans.edu\/diaryimages\/images\/Screen%20Shot%202020-01-11%20at%2010_20_51%20AM.png\" target=\"_blank\" rel=\"noopener noreferrer\">SANS<\/a>)<\/p>\n<p>The above graph shows the increase in attack attempts recorded by a honeypot. During an analysis it was noticed that two known exploits leave files in the following directories:<\/p>\n<p>\/var\/tmp\/netscaler\/portal\/templates <br \/>\/netscaler\/portal\/templates<\/p>\n<p>But there is probably a bot that tries to delete the XML files. The SANS Institute describes the details <a href=\"https:\/\/isc.sans.edu\/forums\/diary\/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor\/25700\/I%E2%80%99ve\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>. In short: If you administrate Citrix ADC\/Netscaler and have not used the workarounds suggested by Citrix yet, please take care of it. <\/p>\n<p>In addition, all administrators of Citrix ADC\/Netscaler should check if they are not already compromised and find the files described <a href=\"https:\/\/isc.sans.edu\/forums\/diary\/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor\/25700\/I%E2%80%99ve\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>. To detect vulnerable systems, the following command must be entered in the shell of the Citrix ADC\/Netscaler:&nbsp; <\/p>\n<blockquote>\n<p><code>curl https:\/\/host\/vpn\/..\/vpns\/cfg\/smb.conf --path-as-is<\/code><\/p>\n<\/blockquote>\n<p>A response code of 200 means that the Citrix ADC\/Netscaler is vulnerable. A 403 response code indicates that the workaround to mitigate the bug exists. A 404 response probably means that it is not a Citrix ADC or other vulnerable system. But read the notes in the following section  <\/p>\n<h2>404 Exploit Not Found: FireEye found a Backdoor<\/h2>\n<p>During the night I came <a href=\"https:\/\/twitter.com\/cglyer\/status\/1218010132996665345\" target=\"_blank\" rel=\"noopener noreferrer\">across a tweet<\/a> from Christopher Glyer (Chief Security Architec at security provider FireEye).<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">We found an unexpected development with the Citrix Netscaler vulnerability. A seemingly \"white knight\" who left a backdoor to deploy additional malware while keeping out other criminals. <br \/><a href=\"https:\/\/t.co\/2kgcMGSosT\">https:\/\/t.co\/2kgcMGSosT<\/a><\/p>\n<p>\u2014 Christopher Glyer (@cglyer) <a href=\"https:\/\/twitter.com\/cglyer\/status\/1218010132996665345?ref_src=twsrc%5Etfw\">January 17, 2020<\/a><\/p><\/blockquote>\n<p><span id=\"preservef19c54026ffe4ec1bc1c6bdffeb13286\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>Does the above test return the code 404 Exploit Not Found? Then it could be that the Citrix ADC\/Netscaler has already been visited by a bot. After FireEye security experts analyzed dozens of successful attack attempts on Citrix ADCs that failed to implement <a href=\"https:\/\/support.citrix.com\/article\/CTX267679\" target=\"_blank\" rel=\"noopener noreferrer\">Citrix mitigation measures<\/a> to mitigate CVE-2019-19781, several groups of exploits came to light. One 'attacker' fell out of line because it used a previously unseen payload in the attack. He developed the code family NOTROBIN for this.<\/p>\n<p>An attacker scans the Internet for vulnerable Citrix ADC\/Netscaler instances. As soon as he gains access to a vulnerable NetScaler device, this actor cleans up known malware and uses NOTROBIN to block subsequent attack attempts! <\/p>\n<p>At first you might think: Oh, a white hat hacker doing good. But it's not all as it seems, because the NOTROBIN payload sets up a backdoor. Anyone who knows a secret passphrase can access the Citrix ADC\/Netscaler. FireEye believes that this actor could secretly collect access to Citrix ADC\/Netscaler devices for a later campaign. Details on the attack and instructions on how to determine if the backdoor is present can be found in this <a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2020\/01\/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html\" target=\"_blank\" rel=\"noopener noreferrer\">FireEye blog post<\/a>. <\/p>\n<p><strong>Similar articles<\/strong><br \/><a href=\"https:\/\/borncity.com\/win\/2019\/12\/24\/schwachstelle-in-citrix-produkten-gefhrdet-firmen-netzwerke\/\">Vulnerability in Citrix Apps put companies at risk<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/01\/13\/poc-for-citrix-adc-netscaler-vulnerability-cve-2019-19781\/\">PoC for Citrix ADC\/Netscaler vulnerability CVE-2019-19781<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Another short collection for administrators who use the Citrix ADC (Application Delivery Controller, formerly Netscaler). The CVE-2019-19781 vulnerability has been exploited. In addition, other vulnerabilities and backdoors have been discovered. As there are no firmware updates available yet (coming next &hellip; <a href=\"https:\/\/borncity.com\/win\/2020\/01\/17\/further-actions-required-for-citrix-netscaler-vulnerability\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547],"tags":[2222,2233,69],"class_list":["post-12653","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-citrix","tag-cve-2019-19781","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12653","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=12653"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12653\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=12653"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=12653"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=12653"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}