On December 17th, 2019, Citrix disclosed a vulnerability in the Citrix Application Discovery Controller (ADC), also known as NetScaler ADC, Citrix Gateway, and NetScaler gateway. This vulnerability allows directory traversal and subsequent remote command execution, meaning attackers can read sensitive information from system configuration files without the need for user authentication, execute code, establish backdoors, and more.
In other words, exploiting this vulnerability gives attackers the keys to the kingdom: not only can they traverse an organization's data center and corporate networks, they can also gain access to the org's crown jewels.
The vulnerability affects all supported versions of Citrix ADC, NetScaler Gateway, and SD-WAN appliances, which means users should update their systems immediately.
You can find a detailed list of impacted software versions and links to hotfix here:
This vulnerability has received a CVSS v3.1 base score of 9.8 Critical, and is being tracked using CVE-2019-19781. ExtraHop released updated detector rules for this vulnerability on January 23, 2020. It's also worth noting that there's a possibility of other exploitation techniques via the Perl Template Toolkit, so extra diligence and controls are called for.
Why It Matters (Criticality):
This vulnerability gives attackers remote code execution capabilities along with the location of the gateway appliance in customer networks. Compromised systems are likely to contain critical data such as configuration files and data useful for network reconnaissance. Given the function and location of these systems, attackers have many options available to them. For example, monitoring network traffic or configurations for additional credentials, PII, or other sensitive data.
How the Attack Works (Anatomy):
Directory Traversal & Remote Code Execution:
Failure to perform proper data sanitization on incoming path requests allows attackers to enumerate system files and gain access to sensitive data without user authentication.
This is a classic example of an input validation flaw typically associated with information leakage, but once exploited it can be leveraged to bypass authentication, trigger remote code execution, or exploit other vulnerabilities on the system. This flaw makes it trivial to upload files to the system without authentication. Several directories and files are writable by the web server and exposed to unauthenticated users.
Example Exploitation of Directory Traversal Flaw Provided by SANS:
Step 1. Write file with code to vulnerable system:
- param1:=../../../var/www/file.php ← File being written to vulnerable system
- param2=<?php exec("rm -rf /") ← Contents of the file being written
Step 2. Trigger file execution:
For a more indepth breakdown, see the SANS Webcast: What You Need To Know About the Critical Citrix Gateway (Netscaler) Vulnerability CVE-2019-19781.
How Can the Attack Be Detected?
Some IDS/IPS systems will be able to detect attackers attempting to exploit this vulnerability using plain text. ex. HTTP. However, attacks leveraging SSL will remain undetected as these tools typically lack the ability to perform decryption.
On January 23, 2020, all active ExtraHop Reveal(x) appliances received an updated rule to provide coverage for CVE-2019-19781 (rule-based detection). ExtraHop's advanced ML detection engines provide ongoing mitigation against systems that may have been compromised prior to the patch being installed.
NOTE: FireEye has discovered a number of groups actively exploiting this vulnerability in the wild. In some instances the malicious actors gain access to the system, remove existing malware and persistence mechanisms then deploy custom toolkits to block further exploitation while maintaining a backdoor for their own use.
Remediation and Response Strategy:
On January 22, 2020, Citrix released updates to close this vulnerability. It is highly recommended that impacted systems be patched immediately. However, this does not resolve the ongoing risk associated with a pre-patch compromise.
Monitoring the host filesystem for Indicators of Compromise is recommended and will help mitigate the ongoing risk; however, these indicators are limited in scope and can be evaded by attackers. In addition, administrators should evaluate local and active directory user accounts that may have been compromised, and either disable the accounts or configure alerts to notify if these accounts are used in unexpected ways.
On top of these post-remediation actions, we also recommend monitoring both east-west and north-south traffic. Evaluating network traffic for anomalous activity will greatly improve the likelihood of catching attackers.
ExtraHop Reveal(x) can assist with Citrix monitoring, enhancing visibility into network traffic and alerting incident responders to malicious behavior that may be related to this vulnerability, including but not limited to:
- unexpected user logins,
- database enumeration,
- network scanning,
- and password attacks such as password spraying.
Reveal(x) also provides full spectrum threat hunting capabilities to help uncover relevant anomalies and possible suspicious activity that could be indicative of a late-stage compromise by advanced persistent attackers (APT) having exploited this vulnerability.
Patches and additional information for CVE-2019-19781 can be found here:
Citrix, in conjunction with Mandiant, has also provided a tool to help increase awareness of potential system compromises related to this issue:
- https://support.citrix.com/article/CTX267027 Vendor Advisory