Nobody expected the madness that happened at the end of 2019. At one stage it was like a free for all with security breaches occurring on a daily basis. If you don’t believe us, take a look at our blog articles.
It seems as if 2020 has started in a similar manner. We recently came across the CVE-2019-19781 vulnerability which has some significant ramifications for companies if it is not addressed appropriately.
Active engagement
Several working proof-of-concept (PoC) exploits for the CVE-2019-19781 vulnerability are already publicly available (we won't be linking to them for obvious reasons) from numerous locations.
The article adds that the PoC exploits allows attackers to create reverse shells back to their machines and execute malicious commands on the compromised devices, effectively enabling the attacker to gain full control over the machines.
A technical deep dive for this vulnerability was published by security outfit MDSec, providing a demo of how a working PoC can be used. TrustedSec also provides a guide that can be followed to check your devices for evidence of a compromise, with Citrix ADC admins being advised to monitor their devices for attacks.
If successfully exploited, this vulnerability allows unauthenticated users to utilize directory traversal to perform arbitrary code execution.
Fix it now
Instead, Citrix has released a series of steps administrators can use to mitigate the problem.
These steps are different depending on how the system was installed, but you can use the following steps for a standalone system:
The article adds that Users are also advised to sign up for security alerts from Citrix to be notified when patches become available.
In the meantime, all administrators should apply the mitigation steps and also configure IDS systems to monitor for this threat.
According to TrustedSec, you can test if the mitigations have been applied properly, you can use the following command (replace host with the IP/hostname of your server):
The article points out that, if you receive a 403 response, it means you properly applied the mitigations. If you can see the smb.conf, the the mitigations were not done correctly and the device is still vulnerable.
TrustedSec has also provided a guide that can be used to check your devices for evidence of a compromise.
Finally, Nextron Systems's Florian Roth has provided Sigma detection rules for SIEM systems that can be used to detect attempts to exploit the CVE-2019-19781 vulnerability against Citrix ADC (NetScaler) and Citrix Gateway devices.
Expected patch release dates
The article pints out that Citrix has contacted BleepingComputer to share a blog post containing the estimated dates that patches for the Citrix Application Delivery Controller (ADC) and Citrix Gateway CVE-2019-19781 vulnerability will become available.
The current schedule for these patches and their corresponding versions are below.
Vigilance is key
As with any cyber breach or vulnerability, discretion is the greater part of valor. If you feel that there is the slightest possibility that you are at risk, then you need to find a solution to resolve the issue. This can have a significantly detrimental impact on your company.
“It is always good to talk to a professional when it comes to these matters. GTconsult has the skills and expertise to do a vulnerability test on your business to see if you need an intervention. We also have solutions to help you combat this vulnerability.” said GTconsult Co-Founder and CEO Bradley Geldenhuys.