A vulnerability been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, Citrix Gateway formerly known as NetScaler Gateway, and Citrix SDWAN WANOP that could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.
Citrix has published a security bulletin that mentions a vulnerability that can be exploited to achieve arbitrary code execution by a remote, unauthenticated attacker. Although the bulletin does not describe details about the vulnerability, the mitigation steps describe techniques to block the handling of requests that contain a directory traversal attempt (/../) and also requests that attempt to access the /vpns/ directory.
Limited testing has shown that the affected Citrix software fails to restrict access to perl scripts that are available via the /vpns/ path. An unauthenticated remote attacker may be able to provide crafted content to these scripts that result in arbitrary code execution. One technique that has been outlined involves the writing of an XML file using a directory traversal and the subsequent command execution by way of the Perl Template Toolkit. Other exploitation techniques may be possible.
By exploiting this vulnerability, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.
Apply an update
Block the handling of specially-crafted requests
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\\r\
add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0
shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler"
Note that other configurations, such as CLIP, and HA, the steps to mitigate this vulnerability may be different. Please see CTX267679 for more details.
Also note that the above mitigation does not work on Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31, due to an altogether different bug. Release 12.1 users are recommended to update to an unaffected build and also apply mitigations for protection.
This vulnerability was reported to the vendor by Mikhail Klyuchnikov of Positive Technologies.
This document was written by Art Manion and Will Dormann.
|Date First Published:||2020-01-08|
|Date Last Updated:||2020-02-03 13:11 UTC|