Open in app

Sign in

Write

Sign in

What is and how to monitor for Citrixmash (CVE-2019–19781)

Gianni Castaldi
Wortell
Published in
3 min readJan 16, 2020

Updates:

Citrix released the updates for 11.1 and 12.0.

Also my colleague Maurice de Jong is writing a great article (currently in draft), on how to monitor for exploits in our favorite SIEM: Azure Sentinel

https://mcpforlife.com/2020/01/19/httpaccess-logging-into-azure-sentinel-on-citrix-netscaler-12-0/

What is it?

So today I’ll be doing a writeup about CVE-2019–19781, aka Citrixmash.

It allows hackers to run code on a remote system without authenticating, which means it’s the worst of its kind.

What happened is that, on the 17th of December 2019, Citrix released information on how to remediate the problem, but with that information, several Security Researchers were able to reverse engineer the remediation steps into an actual exploit.

The problem is that every user with access to the Citrix NetScaler/ADC/Gateway URL can run commands on the system.

Based on the research of Dave Kennedy from TrustedSec, I was able to test a large number of systems. At the time of writing (15th of January), I did a quick scan and determined that more than 30% of the large range of almost 20k IP addresses are still vulnerable.

The CVE number has been requested on the 27th of December 2019 and has been classified according to CVSS 3.x with a score of 9.8 out of 10.

How to detect?

To scan your Own systems I've created a simple Powershell scanning script:

Castaldio86/Detect-CVE-2019-19781

You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…

github.com

If you are vulnerable, you will receive the following result:

When you applied the mitigation steps, you will receive the following result:

The mitigation steps are available on:

Mitigation Steps for CVE-2019-19781

The following configuration changes serve as a mitigation to the aforementioned vulnerability. Run the following…

support.citrix.com

Where is the fix?

The real fix will take about a week depending on your version:

10.5 31st of January 2020

11.1 20th of January 2020

12.0 20th of January 2020

12.1 27th of January 2020

13.0 27th of January 2020

What to monitor?

A good tip is to monitor the following two locations:

  • /var/tmp/netscaler/portal/templates/
  • /netscaler/portal/templates/

The creation of cronjobs from the user Nobody ( crontab -l -u nobody)

The Yara and Sigma rules by Arnim Rupp and Florian Roth, to create your detections in your favorite SIEM or SOAR.

Neo23x0/signature-base

You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…

github.com

Neo23x0/sigma

You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…

github.com

What To-Do?

  • apply the mitigation steps
  • wait for the real fix
  • think about your cyber exposure
  • and of course, keep monitoring your systems with your favorite SIEM/SOAR
Citrix
Security
Cybersecurity
Cybercrime

--

--

Gianni Castaldi
Wortell

Written by Gianni Castaldi

33 Followers
Writer for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams