Citrix Netscaler exploits and scans hit the internet

By on
Citrix Netscaler exploits and scans hit the internet

Patches still days away.

Organisations with Citrix Application Delivery Controller (Netscaler) installations are under renewed pressure to mitigate against a critical vulnerability after exploits for it were published, with patches still not available.

Citrix issued a critical advisory on December 17 United States time for the vulnerability, which is a flaw that allows directory traversal and calling of poorly written scripts.

About 3500 Australian users are thought to be susceptible.

Over the weekend, security vendor TrustedSec published a working exploit and a scanner for the flaw, which has been given the Common Vulnerabilties and Exposures index of CVE-2019-19781.

The flaw is also now nicknamed 'Citrixmash'.

TrustedSec researchers Rob Simon and Dave Kennedy published the Python scripts for the exploit and scanner on Github.

"This was only uploaded due to other researchers publishing their code first," they said.

"We would have hoped to have had this hidden for awhile longer while defenders had appropriate time to patch their systems.

"We are all for responsible disclosure. In this case - the cat was already out of the bag."

Attackers can use the Citrixmash bug to remotely run any code of their choosing, with no authentication required.

Multiple versions of Citrix ADC and Netscaler Gateway are affected by the bug, and there's no patch for the flaw as of yet.

A workaround involves manually executing commands to prevent directory traversal and restricting folder access to scripts that can be called for remote code execution was published by Citrix to mitigate against the vulnerability.

The commands are:

add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403

Citrix expects to deliver patches for the ADC and Gateway versions 11.1 and 12.0 by January 20 US time, with versions 12.1 and 13 coming on January 27 and 10.5 on January 31.

TrustedSec said it is aware of large scans taking place across the globe to map vulnerable Citrix servers with other security researchers making the same observation

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?