Vulnerability in Citrix ADC and Gateway: If you run Citrix in your network, this is a must-read

Updated January 30th 2020

Permanent fixes are now available for all supported versions of ADC, Gateway and SD-WAN WANOP vulnerable to CVE-2019-19781.

As you may be aware, Citrix released an article in December 2019 identifying a path traversal flaw in Citrix Application Delivery Controller (ADC) and Gateway. This flaw, labeled CVE-2019-19781, places any corresponding system at risk of attack, allowing unauthenticated users to potentially gain remote code execution.

And, this is no small-scale issue – over 125,000 Citrix ADC or Gateway hosts are publicly accessible.

Growing awareness

Attackers are aware of the flaw, intently searching for vulnerable hosts. Now, several exploit scripts are also available that enable CVE-2019-19781. Many organizations are already reporting exploitation attempts. Several organizations have even revealed how they identified attackers or how they were able to achieve limited file writing on vulnerable hosts in trials themselves. Successful attempts often use requests with these paths:

  • /vpns/
  • /vpn/../vpns/cfg/smb.conf
  • /vpn/../vpns/portal/scripts/newbm.pl

Mitigation steps

Take these steps to mitigate attempts of attack. The steps involve running a series of commands from the command line interface of the appliance to create a responder action and policy – the priority of which should be set to 1 – and a precautionary reboot. These actions should thwart potential attackers and return some of their requests with HTTP 403 FORBIDDEN responses.

In the event your Citrix ADC was compromised, a threat actor could have exported sensitive information which could lead to additional threat to the organization. To that end, we’re recommending these steps:

· Create new ldap user account for AD lookups
· Change password of old account and disable
· Replace certificates hosted on ADC
· Revoke replaced certificates
· Cleanup xml files
· Cleanup CRON jobs
· (If necessary) Rebuild/Re-Provision

Inaction is risky

If you use Citrix ADC or Gateway, it is critical to take action now. And, if you have questions around this issue and how to protect your organization, please email support@a2u.net.