Citrix NetScaler Vulnerability: Allows access to corporate network without accounts

All I wanted for Christmas was to NOT patch work systems.

Over the holiday break, Citrix announced a major vulnerability in two of it’s most popular devices.  The Citrix Application Delivery Controller (formerly known as NetScaler ADC) and the Citrix Gateway (formerly known as NetScaler ADC since version 10.5).   If you own either of these products and have not patched them, you should read this entire post.

This vulnerability can allow for hackers to gain unauthorized access to a company’s local network without the need to access or compromise any user or system accounts.  The exploit involves running malicious code against the NetScaler that could include launching remote sessions or Citrix Published applications.

For an in-depth breakdown of the flaw, you can read a post by @johullrich (https://isc.sans.edu/forums/diary/Some+Thoughts+About+the+Critical+Citrix+ADCGateway+Vulnerability+CVE201919781/25660/).  He discussed how the exploit works and the workaround methods proposed by Citrix.

You can track the actual vulnerability at NIST using CVE-2019-19781

Citrix is, of course, advising all of it’s customers to preform the following workaround remediate methods described in CTX267679.

These include running some code on the CLI and then rebooting the devices to clear out any unprotected, already established, sessions.  Although a reboot is not required, it is recommended.   You can find the exact code and steps for the various configurations in the Citrix KB article linked above.

Keep an eye out for an eventual Citrix Firmware update as the current method is just a workaround.

Stay Safe out there!
Carlo

TAGS