Citrix Netscaler exploits and scans hit the internet

By on
Citrix Netscaler exploits and scans hit the internet

Patches still days away.

Organisations with Citrix Application Delivery Controller (Netscaler) installations are under renewed pressure to mitigate against a critical vulnerability after exploits for it were published, with patches still not available.

Citrix issued a critical advisory on December 17 United States time for the vulnerability, which is a flaw that allows directory traversal and calling of poorly written scripts.

About 3500 Australian users are thought to be susceptible.

Over the weekend, security vendor TrustedSec published a working exploit and a scanner for the flaw, which has been given the Common Vulnerabilties and Exposures index of CVE-2019-19781.

The flaw is also now nicknamed 'Citrixmash'.

TrustedSec researchers Rob Simon and Dave Kennedy published the Python scripts for the exploit and scanner on Github.

"This was only uploaded due to other researchers publishing their code first," they said.

"We would have hoped to have had this hidden for awhile longer while defenders had appropriate time to patch their systems.

"We are all for responsible disclosure. In this case - the cat was already out of the bag."

Attackers can use the Citrixmash bug to remotely run any code of their choosing, with no authentication required.

Multiple versions of Citrix ADC and Netscaler Gateway are affected by the bug, and there's no patch for the flaw as of yet.

A workaround involves manually executing commands to prevent directory traversal and restricting folder access to scripts that can be called for remote code execution was published by Citrix to mitigate against the vulnerability.

The commands are:

add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403

Citrix expects to deliver patches for the ADC and Gateway versions 11.1 and 12.0 by January 20 US time, with versions 12.1 and 13 coming on January 27 and 10.5 on January 31.

TrustedSec said it is aware of large scans taking place across the globe to map vulnerable Citrix servers with other security researchers making the same observation

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
citrix citrixmash cve201919781 netscaler security trusted security

Most Read Articles

Woolworths pays record $1m fine for spamming customers

Woolworths pays record $1m fine for spamming customers
Telstra gets two more years to upgrade or sell its residential fibre networks

Telstra gets two more years to upgrade or sell its residential fibre networks
ATO systems crash in tax time refund rush

ATO systems crash in tax time refund rush
Critical F5 BIG-IP vulnerability made public

Critical F5 BIG-IP vulnerability made public
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Get IT, finance and business on the same page
Get IT, finance and business on the same page
Why is DevSecOps important to your business?
Why is DevSecOps important to your business?
Architecting Hybrid IT & Edge for Digital Advantage
Architecting Hybrid IT & Edge for Digital Advantage
Organizations Increasing Their Adoption of NFV
Organizations Increasing Their Adoption of NFV
Modernise IT by Reducing Your Reliance on AD
Modernise IT by Reducing Your Reliance on AD

Events

Log In

Username / Email:
Password:
  |  Forgot your password?