What you need to know about Citrix ADC CVE-2019-19781:
In mid-December Citrix released a security advisory for a vulnerability in nearly all Citrix ADC/NetScaler and Citrix Gateway platforms. The exploit attacks the Citrix Access Gateway structure, regardless of it being utilized.
Attackers can insert executable code into the ADC, run scheduled jobs, copy out configuration files and, in some cases, use the appliance to access other parts of your network. Citrix has released mitigation steps, but this only prevents future attacks. As of today, they have also provided an update schedule, starting January 20th, 2020.
Our Alchemists have done their due diligence and have a process to investigate appliances that were exposed to the vulnerability. They have worked with experts in network security as well as Citrix directly to develop a resolution for compromised appliances.
Alchemy is available to help you, but in case you want to follow our steps, here is what needs to be done post-mitigation to verify that your system is not compromised:
Redundant Mitigation – Run through the Citrix mitigation steps again to verify that you didn’t miss anything. Check against the CISA scripts to verify that the mitigation steps are effective.
Check the Crontab – Attackers are placing scheduled tasks in the OS to launch applications, even after the patches are in place.
- Check Running Processes – Code uploaded to the infected appliance can be run without impacting the appliance. Some examples of code found so far are crypto miners and backdoor scripts.
- Check for Copied/Recent Files – Attackers are making copies of the ns.conf file, which contains internal IPs, networking details and hashed passwords that could be decrypted. Files are also being copied into the VPN folder structure. If there are files that have a recently created date it is likely that they were dropped there by an attacker. Password resets for nsroot and any hashed passwords in the ns.conf file are recommended to be reset.
- Update Firewall Signatures – Checkpoint, Fortinet and Palo Alto have all updated their signatures for their IPS firewalls, but most are set to detect by default. Update your IPS and modify the action to block attempts.
If this appears intimidating, do not worry: Our Citrix Networking Experts are here to assist!
Please email us at firstname.lastname@example.org, or contact your sales representative as soon as possible.
Citrix Mitigation Steps – https://support.citrix.com/article/CTX267679
Reddit Security Thread – https://www.reddit.com/r/blueteamsec/comments/en4m7j/multiple_exploits_for_cve201919781_citrix/