On December 17, 2019, Citrix released a critical advisory regarding a vulnerability that allows for remote code execution: CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway (https://support.citrix.com/article/CTX267027). The vulnerability exploits a directory traversal attack on the /vpn directory on the NetScaler. It allows for remote execution of code under the user nobody.
Gotham previously alerted customers to this vulnerability. Citrix plans to release a permanent firmware fix for the issue on January 20, 2020. (https://www.citrix.com/blogs/2020/01/11/citrix-provides-update-on-citrix-adc-citrix-gateway-vulnerability/)
In the meantime, working exploits have been found and Gotham has been helping customers mitigate the situation. We're advising NetScaler admins to do the following:
- To prevent the vulnerability from being exploited, implement this solution from Citrix:
https://support.citrix.com/article/CTX267679
- In addition to implementing the prevention steps, the following tests should be performed on the NetScaler to determine if it was comprised:
Review File Locations:
There are a few locations where back doors may initially be placed on the NetScaler after it is exploited. Search the following directories on the NetScaler for unusual files:
- /netscaler/portal/templates
- /var/tmp/netscaler/portal/template
Check for any Cron Jobs:
Run the following command on the NetScaler to determine if any cron jobs for nobody are running:
# crontab -l -u nobody
Check Running Processes:
Run the following command on the NetScaler to determine if any commands are being executed for nobody:
# Ps aux | grep nobody
Monitor Firewall Traffic:
Check your firewall for any communication to these public IPs:
- 62.113.112.33
- 185.178.45.221
- 193.187.174.104
- 217.12.221.12
If you need assistance, please contact us via email at support@gothamtg.com.