What is and how to monitor for Citrixmash (CVE-2019–19781)

Gianni Castaldi
Jan 16 · 3 min read
Image for post
Image for post

Updates:

Citrix released the updates for 11.1 and 12.0.

Also my colleague Maurice de Jong is writing a great article (currently in draft), on how to monitor for exploits in our favorite SIEM: Azure Sentinel

https://mcpforlife.com/2020/01/19/httpaccess-logging-into-azure-sentinel-on-citrix-netscaler-12-0/

What is it?

So today I’ll be doing a writeup about CVE-2019–19781, aka Citrixmash.

It allows hackers to run code on a remote system without authenticating, which means it’s the worst of its kind.

What happened is that, on the 17th of December 2019, Citrix released information on how to remediate the problem, but with that information, several Security Researchers were able to reverse engineer the remediation steps into an actual exploit.

The problem is that every user with access to the Citrix NetScaler/ADC/Gateway URL can run commands on the system.

Based on the research of Dave Kennedy from TrustedSec, I was able to test a large number of systems. At the time of writing (15th of January), I did a quick scan and determined that more than 30% of the large range of almost 20k IP addresses are still vulnerable.

The CVE number has been requested on the 27th of December 2019 and has been classified according to CVSS 3.x with a score of 9.8 out of 10.

How to detect?

To scan your Own systems I've created a simple Powershell scanning script:

If you are vulnerable, you will receive the following result:

Image for post
Image for post

When you applied the mitigation steps, you will receive the following result:

Image for post
Image for post

The mitigation steps are available on:

Where is the fix?

The real fix will take about a week depending on your version:

10.5 31st of January 2020

11.1 20th of January 2020

12.0 20th of January 2020

12.1 27th of January 2020

13.0 27th of January 2020

What to monitor?

A good tip is to monitor the following two locations:

  • /var/tmp/netscaler/portal/templates/
  • /netscaler/portal/templates/

The creation of cronjobs from the user Nobody ( crontab -l -u nobody)

The Yara and Sigma rules by Arnim Rupp and Florian Roth, to create your detections in your favorite SIEM or SOAR.

What To-Do?

  • apply the mitigation steps
  • wait for the real fix
  • think about your cyber exposure
  • and of course, keep monitoring your systems with your favorite SIEM/SOAR

Wortell

Microsoft Cloud & Enterprise Security

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store