search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP web server vulnerability

Vulnerability Note VU#619785

Original Release Date: 2020-01-08 | Last Revised: 2020-01-27

Overview

A vulnerability been identified in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC, Citrix Gateway formerly known as NetScaler Gateway, and Citrix SDWAN WANOP that could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system.

Description

Citrix has published a security bulletin that mentions a vulnerability that can be exploited to achieve arbitrary code execution by a remote, unauthenticated attacker. Although the bulletin does not describe details about the vulnerability, the mitigation steps describe techniques to block the handling of requests that contain a directory traversal attempt (/../) and also requests that attempt to access the /vpns/ directory.

Limited testing has shown that the affected Citrix software fails to restrict access to perl scripts that are available via the /vpns/ path. An unauthenticated remote attacker may be able to provide crafted content to these scripts that result in arbitrary code execution. One technique that has been outlined involves the writing of an XML file using a directory traversal and the subsequent command execution by way of the Perl Template Toolkit. Other exploitation techniques may be possible.

A link of the following form can be used to determine if a system is affected:
https:// CITRIXGATEWAY /vpn/../vpns/cfg/smb.conf

For example, the following curl command can be used:
curl https:// CITRIXGATEWAY /vpn/../vpns/cfg/smb.conf --path-as-is -k

The " CITRIXGATEWAY " string should be replaced with the name or IP of the system you wish to test. If retrieving the link results in a 403 Forbidden error, then the mitigations outlined below have likely been applied. However, if retrieving the link results in the contents of a smb.conf file, then the system is vulnerable.

Impact

By exploiting this vulnerability, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system.

Solution

Apply an update

Citrix has released updates in Security Bulletin CTX267027. The updated software is designed to prevent unauthenticated attackers from accessing certain web server features. If you are unable to apply updates, please consider the following workarounds:

Block the handling of specially-crafted requests

Citrix article CTX267679 contains several mitigation options for this vulnerability, depending on what type of product installation is used. For example, on a stand-alone system, the following commands are reported to mitigate this vulnerability:

    nable ns feature responder
    add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\\r\
    add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
    bind responder global ctx267027 1 END -type REQ_OVERRIDE
    save config

    shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0
    shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler"
    reboot

Note that other configurations, such as CLIP, and HA, the steps to mitigate this vulnerability may be different. Please see CTX267679 for more details.

Also note that the above mitigation does not work on Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31, due to an altogether different bug. Release 12.1 users are recommended to update to an unaffected build and also apply mitigations for protection.

Vendor Information

619785
 
Affected   Unknown   Unaffected

Citrix

Updated:  January 08, 2020

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 10 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 9.5 E:H/RL:W/RC:C
Environmental 7.1 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This vulnerability was reported to the vendor by Mikhail Klyuchnikov of Positive Technologies.

This document was written by Art Manion and Will Dormann.

Other Information

CVE IDs: CVE-2019-19781
Date Public: 2019-12-17
Date First Published: 2020-01-08
Date Last Updated: 2020-01-27 14:39 UTC
Document Revision: 99

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.