Context and affected products
On the 17th of December, 2019 Citrix announced that their ADC (Application Delivery Controller), Gateway and SD-WAN WANOP products were vulnerable to an unauthenticated Remote Code Execution.
This vulnerability has been found by a security researcher named Corben (@hacker_), and is identified by the CVE-2019-19781, also known as “Shitrix”.
Citrix released a list of affected products which is as follows:
- Citrix ADC and Citrix Gateway version 13.0 on all supported builds
- Citrix ADC and NetScaler Gateway version 12.1 on all supported builds
- Citrix ADC and NetScaler Gateway version 12.0 on all supported builds
- Citrix ADC and NetScaler Gateway version 11.1 on all supported builds
- Citrix NetScaler ADC and NetScaler Gateway version 10.5 on all supported builds
- Citrix SD-WAN WANOP software and appliance models 4000, 4100, 5000, and 5100 all supported builds
Moreover, the Citrix Netscaler Amazon Machine Images on AWS and ARM images on Azure are vulnerable out of the box.
It is important to note that all security fixes are not yet available, while workarounds have been published to limit the exposure of affected devices.
Severity
The severity associated to this CVE is estimated as Critical by the Devoteam CERT – any device directly exposed on the Internet must be modified according to the Citrix guide and patched as soon as possible (see Recommendations).
Technical description
The vulnerability that permits the unauthenticated Remote Code Execution is a web-based flaw : Directory Traversal.
The vulnerability allows an attacker to append commands in an XML file with a POST request and to execute it through the parsing template engine with a GET request. These two requests lead to a Remote Code Execution as an unprivileged user.
There is a Perl script included in Citrix, which creates a template based on a description. This script can be triggered via a POST request to vpn/../vpns/portal/scripts/newbm.pl. The URL parameter contains a string including the RCE payload, NSC_USER an unfiltered path that will specify where the .xml can be retrieved and NSC_NOUNCE a nounce to be repeated in the second request.
A sample request can be as follows :
POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1
Host: xxxxxxxxx
Connection: close
NSC_USER: ../../../../netscaler/portal/templates/FILENAME
NSC_NOUNCE: abc
Content-Length: 89
url=https://xxxx.fr&title=FILENAME&desc=
[%template.new(('BLOCK'='print `cmd`'))%] The second request will fetch the result of the previously submitted payload. It is a GET request to /vpn/…/vpns/portal/FILENAME.xml including the previously submitted nounce as NSC_NOUNCE header.
It is important to note that there seems to be alternative ways to trigger the exploit on others URI/scripts:
GET /vpns/portal/scripts/picktheme.pl
POST /vpns/portal/scripts/rmbm.pl
POST /vpns/portal/scripts/newbm.plHas this vulnerability been exploited in the wild?
The first public exploitation acknowledges have been reported between the 8 January and the 11 January. According to BadPackets (@bad_packets), more than 25 000 hosts are vulnerable to CVE-2019-19781.
Sans_ISC (@sans_isc) released some statistics about active scanning on a ADC Honeypot, which show a peak of attempts shortly after the first exploit on Github.
A week after the discovery more exploits have been released, as well as modules for Metasploit (auxiliary/scanner/http/citrix_dir_traversal and exploit/linux/http/citrix_dir_traversal_rce) so this greatly ease the task for an attacker when facing vulnerable hosts.
.png)
What are the risks?
The usual risks associated with unprivileged RCE are applied here with some miner (netscalerd) example found on the 12 January by NCC Group/Fox-IT.
Lateral movement, botting and privilege escalation threats are to be considered as well depending on local configuration. Additional information provided in cloud images (instances ID and so on – sometimes used as default passwords) might also be retrieved by an attacker.
Detection
Thanks to TrustedSec analysis a list of relevant log files to investigate has been made public.
- search for user nobody in {notice.log, bash.log, sh.log…}
- search for directory traversal artifacts and items within /vpn patterns in httpaccess.log and httperror.log as well as other typical pattern (POST then GET to XML)
Beside those logs, any process running as a child of HTTPD should be investigated.
Malicious scripts have been found in the following locations:
- /netscaler/portal/templates
- /var/tmp/netscaler/portal/templates
- /netscaler/portal/scripts
Sigma rules
https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml
Snort rules
Yara rules
https://github.com/Neo23x0/signature-base/blob/master/yara/exploit_shitrix.yar
Recommendations
Citrix official mitigation guide
Citrix released a pre-patch mitigation steps while the patch is developped.
https://support.citrix.com/article/CTX267679They also released a roadmap for the expected official fixes – some of which should be available today.
ADC and Gateway
| Version | Refresh Build | Release Date |
|---|---|---|
| 10.5 | 10.5.70.x | 24th January 2020 |
| 11.1 | 11.1.63.15 | 19th January 2020 |
| 12.0 | 12.0.63.13 | 19th January 2020 |
| 12.1 | 12.1.55.x | 24th January 2020 |
| 13.0 | 13.0.47.x | 24th January 2020 |
SD-WAN WANOP
| Version | Citrix ADC Release | Release Date |
|---|---|---|
| 10.2.6 | 11.1.51.615 | 24th January 2020 |
| 11.0.3 | 11.1.51.615 | 24th January 2020 |
An extensive thread can be found on Reddit with all technical information available (and regularly updated).
Alexandre MASSON
Olivier CHATAIL