Analysis of the CVE-2019-19781 vulnerability affecting multiple Citrix Products

alexandre masson Alerte CERT

Context and affected products

On the 17th of December, 2019 Citrix announced that their ADC (Application Delivery Controller), Gateway and SD-WAN WANOP products were vulnerable to an unauthenticated Remote Code Execution.

This vulnerability has been found by a security researcher named Corben (@hacker_), and is identified by the CVE-2019-19781, also known as “Shitrix”.

Citrix released a list of affected products which is as follows:

  • Citrix ADC and Citrix Gateway version 13.0 on all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 on all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 on all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 on all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 on all supported builds
  • Citrix SD-WAN WANOP software and appliance models 4000, 4100, 5000,  and 5100 all supported builds

Moreover, the Citrix Netscaler Amazon Machine Images on AWS and ARM images on Azure are vulnerable out of the box.

It is important to note that all security fixes are not yet available, while workarounds have been published to limit the exposure of affected devices.

Severity

The severity associated to this CVE is estimated as Critical by the Devoteam CERT – any device directly exposed on the Internet must be modified according to the Citrix guide and patched as soon as possible (see Recommendations).

Technical description

The vulnerability that permits the unauthenticated Remote Code Execution is a web-based flaw : Directory Traversal.

The vulnerability allows an attacker to append commands in an XML file with a POST request and to execute it through the parsing template engine with a GET request. These two requests lead to a Remote Code Execution as an unprivileged user.

There is a Perl script included in Citrix, which creates a template based on a description. This script can be triggered via a POST request to vpn/../vpns/portal/scripts/newbm.pl. The URL parameter contains a string including the RCE payload, NSC_USER an unfiltered path that will specify where the .xml can be retrieved and NSC_NOUNCE a nounce to be repeated in the second request.

A sample request can be as follows :

    POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1
    Host: xxxxxxxxx
    Connection: close
    NSC_USER: ../../../../netscaler/portal/templates/FILENAME
    NSC_NOUNCE: abc
    Content-Length: 89
    url=https://xxxx.fr&title=FILENAME&desc=
    [%template.new(('BLOCK'='print `cmd`'))%]  

The second request will fetch the result of the previously submitted payload. It is a GET request to /vpn/…/vpns/portal/FILENAME.xml including the previously submitted nounce as NSC_NOUNCE header.

It is important to note that there seems to be alternative ways to trigger the exploit on others URI/scripts:

    GET /vpns/portal/scripts/picktheme.pl
    POST /vpns/portal/scripts/rmbm.pl
    POST /vpns/portal/scripts/newbm.pl

Has this vulnerability been exploited in the wild?

The first public exploitation acknowledges have been reported between the 8 January and the 11 January. According to BadPackets (@bad_packets), more than 25 000 hosts are vulnerable to CVE-2019-19781.

Sans_ISC (@sans_isc) released some statistics about active scanning on a ADC Honeypot, which show a peak of attempts shortly after the first exploit on Github.
A week after the discovery more exploits have been released, as well as modules for Metasploit (auxiliary/scanner/http/citrix_dir_traversal and exploit/linux/http/citrix_dir_traversal_rce) so this greatly ease the task for an attacker when facing vulnerable hosts.

Discovery and exploitation attempts timeline from SANS ISC honeypots

What are the risks?

The usual risks associated with unprivileged RCE are applied here with some miner (netscalerd) example found on the 12 January by NCC Group/Fox-IT.

https://www.virustotal.com/gui/file/20343854b8c348146bf17fe739ce9028a620f93116438291f1b0b89345e18520/detection

Lateral movement, botting and privilege escalation threats are to be considered as well depending on local configuration. Additional information provided in cloud images (instances ID and so on – sometimes used as default passwords) might also be retrieved by an attacker.

Detection

Thanks to TrustedSec analysis a list of relevant log files to investigate has been made public.

  • search for user nobody in {notice.log, bash.log, sh.log…}
  • search for directory traversal artifacts and items within /vpn patterns in httpaccess.log and httperror.log as well as other typical pattern (POST then GET to XML)

Beside those logs, any process running as a child of HTTPD should be investigated.

Malicious scripts have been found in the following locations:

  • /netscaler/portal/templates
  • /var/tmp/netscaler/portal/templates
  • /netscaler/portal/scripts

Sigma rules

https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml

Snort rules

https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/

Yara rules

https://github.com/Neo23x0/signature-base/blob/master/yara/exploit_shitrix.yar

Recommendations

Citrix official mitigation guide

Citrix released a pre-patch mitigation steps while the patch is developped.

https://support.citrix.com/article/CTX267679

They also released a roadmap for the expected official fixes – some of which should be available today.

ADC and Gateway

VersionRefresh BuildRelease Date
10.510.5.70.x24th January 2020
11.111.1.63.1519th January 2020
12.012.0.63.1319th January 2020
12.112.1.55.x24th January 2020
13.013.0.47.x24th January 2020

SD-WAN WANOP

VersionCitrix ADC ReleaseRelease Date
10.2.6 11.1.51.615 24th January 2020
11.0.3 11.1.51.615 24th January 2020

An extensive thread can be found on Reddit with all technical information available (and regularly updated).

Alexandre MASSON

Olivier CHATAIL