Jump to content

Critical Citrix Bug Puts 80,000 Corporate LANs at Risk

tech.guru

https://threatpost.com/critical-citrix-bug-80000-corporate-lans-at-risk/151444/

 

Critical Citrix Bug Puts 80,000 Corporate LANs at Risk

 

If you have netscalers make sure to apply mitigation explained in

https://support.citrix.com/article/CTX267679

 

Quote

enable ns feature responder
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\""
add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
save config 
Quote

shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0
shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler"
reboot

 

EDIT: please apply official fixed firmware versions.

after the firmware upgrade, you can remove the mitigation

Permanent fixes for CVE-2019-19781 ADC versions 13.0, 12.1, 12.0 and 11.1 are available now

These fixes also apply to Citrix ADC/Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX).

It is necessary to upgrade all Citrix ADC/Gateway for instances running 13.0 (MPX or VPX) to build 13.0.47.24, for instances running 12.1 (MPX or VPX) to build 12.1.55.18, for instances running 12.0 (MPX or VPX) to build 12.0.63.13, for instances running 11.1 (MPX or VPX) to build 11.1.63.15 and for instances running 10.5 (MPX or VPX) to build 10.5.70.12 to install the security vulnerability fixes.

For more details, please refer to CVE KB

Link to comment
Share on other sites

Link to post
Share on other sites

At least mitigation is easy and will drop any of the invalid requests. One you implement the responder you will see hits on the policy be interesting to see if its being actively exploited.

 

I would think you would want to log the hits on the responder policy and its client source addresses to syslog.

Link to comment
Share on other sites

Link to post
Share on other sites

45 minutes ago, leadeater said:

Yay, we have Citrix ADC's.

Kind of a noob question but what is this Citrix thing, what is an ADC, and why does it concern this forum?

Quote me to see my reply!

SPECS:

CPU: Ryzen 7 3700X Motherboard: MSI B450-A Pro Max RAM: 32GB I forget GPU: MSI Vega 56 Storage: 256GB NVMe boot, 512GB Samsung 850 Pro, 1TB WD Blue SSD, 1TB WD Blue HDD PSU: Inwin P85 850w Case: Fractal Design Define C Cooling: Stock for CPU, be quiet! case fans, Morpheus Vega w/ be quiet! Pure Wings 2 for GPU Monitor: 3x Thinkvision P24Q on a Steelcase Eyesite triple monitor stand Mouse: Logitech MX Master 3 Keyboard: Focus FK-9000 (heavily modded) Mousepad: Aliexpress cat special Headphones:  Sennheiser HD598SE and Sony Linkbuds

 

🏳️‍🌈

Link to comment
Share on other sites

Link to post
Share on other sites

Application Delivery Controller . 

Its has many different functions and is deployed in a variety of use cases.

 

One of the common network appliance large enterprises use as

  Application Firewall - filters out bad requests to application and web servers

  Gateway - full vpn to internal networks and micro vpn to applications

  Load Balancing

 

Because this is typically deployed inside the DMZ and accessable on public networks vulnerabilities are particularly concerning 

 

This is one of the worst exploits because it requires no authenication and can bypass controls.

 

You be surprised behind the scenes what the netscalers are used for, blizzard uses it for example to distrubute WoW players to all its servers

Link to comment
Share on other sites

Link to post
Share on other sites

15 minutes ago, kelvinhall05 said:

Kind of a noob question but what is this Citrix thing, what is an ADC, and why does it concern this forum?

Speaking as a home user without enterprise experience, it’s enterprise level Networking stuff.

The forum is mostly home computer gaming, but Most enterprise level people do home computer stuff as well, and the two get blurred at the workstation level.  Does qualify as tech news, and it may have an impact on consumers because someone is going to miss that their big iron has a new vulnerability and home users may get their data stolen.  Again.

 

personally I like that it was announced here even if it has no impact on gaming from a home user standpoint because it’s the kind of information that needs to go out as far and as fast as possible.

Not a pro, not even very good.  I’m just old and have time currently.  Assuming I know a lot about computers can be a mistake.

 

Life is like a bowl of chocolates: there are all these little crinkly paper cups everywhere.

Link to comment
Share on other sites

Link to post
Share on other sites

Linus in his own youtube is blurring lines as he is growing you can see him going into enterprise technology.

 

He doesnt have a huge data center but you can see him blurring the lines in his youtube videos with rack mount servers.

 

I know some here are also it professionals, this is a pretty significant vulnerability just putting news out there 

Link to comment
Share on other sites

Link to post
Share on other sites

Ouch, I know a few places I went to had citric running. 

Specs: Motherboard: Asus X470-PLUS TUF gaming (Yes I know it's poor but I wasn't informed) RAM: Corsair VENGEANCE® LPX DDR4 3200Mhz CL16-18-18-36 2x8GB

            CPU: Ryzen 9 5900X          Case: Antec P8     PSU: Corsair RM850x                        Cooler: Antec K240 with two Noctura Industrial PPC 3000 PWM

            Drives: Samsung 970 EVO plus 250GB, Micron 1100 2TB, Seagate ST4000DM000/1F2168 GPU: EVGA RTX 2080 ti Black edition

Link to comment
Share on other sites

Link to post
Share on other sites

32 minutes ago, tech.guru said:

Linus in his own youtube is blurring lines as he is growing you can see him going into enterprise technology.

 

He doesnt have a huge data center but you can see him blurring the lines in his youtube videos with rack mount servers.

 

I know some here are also it professionals, this is a pretty significant vulnerability just putting news out there 

And good on you for doing it imho.

Not a pro, not even very good.  I’m just old and have time currently.  Assuming I know a lot about computers can be a mistake.

 

Life is like a bowl of chocolates: there are all these little crinkly paper cups everywhere.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, kelvinhall05 said:

Kind of a noob question but what is this Citrix thing, what is an ADC, and why does it concern this forum?

One of the very popular security appliances used to present websites and applications to the internet. Everyone here would have at some point had an interaction going through a Citrix ADC but you'd never know it.

 

One of the problems with security appliances is if they get breached it's an all eggs in one basket situation, but it's still better than directly exposing web servers to the internet with varying levels of patches and security hardening.

 

It's sort of, but not really, having your own Cloudflare but micro scale (or as large as you want to deploy).

Link to comment
Share on other sites

Link to post
Share on other sites

41 minutes ago, leadeater said:

One of the very popular security appliances used to present websites and applications to the internet. Everyone here would have at some point had an interaction going through a Citrix ADC but you'd never know it.

So is it like an internet gateway appliance that scans all outbound and inbound traffic at the proxy level? ?

There is more that meets the eye
I see the soul that is inside

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

It can act as a reverse proxy but that's not necessarily it's only deployment 

Link to comment
Share on other sites

Link to post
Share on other sites

One of its selling points is called unified gateway.

 

It uses content switch to access all your applications from a single domain.

 

So you can have one certificate for all your applications.

 

You would for example have

    Company.com/app1

    Company.com/app2

 

With content switch policy to have any url with /app1 go to load balancing vserver for that application.

 

And separate vservers for /app2 etc.

You can also add an authentication prior granting access to secure application or even pass through authentication as required.

 

Because the netscaler is inspecting the traffic before it reaches the backend server you can, rewrite  transform and drop traffic as you wish. For example you could add a link to a page on the fly without having to edit the html file.

It will insert the html code directly into the packets before being set to the client.

 

Likewise if a client requests a really long URL or puts an insert statement into a field (sql injection attack) you can log and drop the traffic before it's even set to the server.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, tech.guru said:

But it's really not meant a post to sell the product. It's something I have an interest at work.

Don't worry as a counter to the sudo sales pitch Citrix support is literally the worst I've ever seen, really is that bad. There we go, balance restored.

Link to comment
Share on other sites

Link to post
Share on other sites

perfect timing on this, just as we move to Citrix ....

I spent $2500 on building my PC and all i do with it is play no games atm & watch anime at 1080p(finally) watch YT and write essays...  nothing, it just sits there collecting dust...

Builds:

The Toaster Project! Northern Bee!

 

The original LAN PC build log! (Old, dead and replaced by The Toaster Project & 5.0)

Spoiler

"Here is some advice that might have gotten lost somewhere along the way in your life. 

 

#1. Treat others as you would like to be treated.

#2. It's best to keep your mouth shut; and appear to be stupid, rather than open it and remove all doubt.

#3. There is nothing "wrong" with being wrong. Learning from a mistake can be more valuable than not making one in the first place.

 

Follow these simple rules in life, and I promise you, things magically get easier. " - MageTank 31-10-2016

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

10 hours ago, tech.guru said:

I know some here are also it professionals, this is a pretty significant vulnerability just putting news out there 

I think a lot of us here are IT professionals.

Link to comment
Share on other sites

Link to post
Share on other sites

Initially I thought it was about the Hypervisor and I was happy since we moved to KVM since 10 years

Then I realized it was about ADC which we never used, our infrastructure is small and we got nothing except small nginx/apache balancers 

Link to comment
Share on other sites

Link to post
Share on other sites

Oh boy. So that's what the scheduled downtime of half our infrastructure was back mid December

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

Desktop Build: Ryzen 7 2700X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 48GB Corsair DDR4 @ 3000MHz, RX5700 XT 8GB Sapphire Nitro+, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to comment
Share on other sites

Link to post
Share on other sites

  • 2 weeks later...

just an update Citrix has started to provide permanent fixes already,

https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/

 

"We urge customers to immediately install these fixes (even if you have previously applied the mitigation). "

 

In addition, there has started to be a campaign by a suspected state actor to comprise and patch systems.

see, https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html

 

if you did not apply the mitigation, there is a risk even with patch or mitigation that system compromise may have already taken place. you need to examine the system for any signs of compromise.

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Citrix has provided a blog post on this issue,

https://www.citrix.com/blogs/2020/01/22/citrix-and-fireeye-mandiant-share-forensic-tool-for-cve-2019-19781/

 

Citrix now provides a tool to check and see if any well known signs are present that suggest compromise and suggest further analysis on the netscalers. Even with the mitigation applied, checking for possible compromise prior to applying the mitigation (since there is already active attacks in the wild) would be prudent.

 

you can find the tool here ,

https://github.com/citrix/ioc-scanner-CVE-2019-19781#usage

 

Link to comment
Share on other sites

Link to post
Share on other sites

One of the automakers GEDIA fell victim to the exploit. 

 

Case in point: a cybercriminal gang responsible for infecting organizations with Sodinokibi (aka REvil) ransomware-as-a-service is claiming it has perpetrated an attack against German automobile manufacturer GEDIA Automotive Group. According to a report from ComputerWeekly, the group threatened on a Russian hacking forum to dox 50GB of sensitive data that was exfiltrated from GEDIA, unless it was paid its ransom demand within seven days. To back up its claims, the group reportedly posted files containing scans of the manufacturer’s Microsoft Active Directory.

 

https://www.scmagazine.com/home/security-news/vulnerabilities/citrix-fixes-bug-used-in-ransomware-attacks-auto-maker-gedia-falls-victim-to-exploit/

Link to comment
Share on other sites

Link to post
Share on other sites

its very important you apply patches there is multiple targeted attacks.

 

City of Potsdam shutdown there systems after discovering it was under attack.

They did not reportedly apply the mitigation,

https://latesthackingnews.com/2020/01/29/city-of-potsdam-went-offline-after-suffering-a-cyber-attack/

 

there is active ransomware using this vulnerability to scan systems and infect windows machines and encrypt files.

https://latesthackingnews.com/2020/01/30/ragnarok-ransomware-exploits-citrix-vulnerability-to-target-vulnerable-servers/

 

Please patch.....

Citrix has released the firmware for all versions even far back as 10.5.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×