Citrix released a security advisory (CVE-2019-19781) for a remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication.
The vulnerability affects all supported versions of Citrix ADC and Citrix Gateway products. As Citrix did not disclose many details about the vulnerability, the mitigation steps suggest the VPN handler fails to sufficiently sanitize user-supplied inputs. The exploit attempt would include HTTP requests with ‘/../’ and ‘/vpns/’ in the URL. The responder policy rule checks for string “/vpns/” and if user is connected to the SSLVPN, and sends a 403 response as seen below.
add responder policy ctx267027 “HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(”/vpns/”) && (!CLIENT.SSLVPN.IS_SSLVPN “https://securityboulevard.com/” HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(”/../”))” respondwith403
Qualys has issued QID 372305 for Qualys Vulnerability Management that covers authentication and remote vulnerabilities present in affected Citrix products. This QID is included in signature version VULNSIGS-2.4.788-2.
QID 372305 : Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability (CTX267027)
The QID contains a remote and an authenticated signature to check the presence of vulnerability in Citrix Products.
You can search for this new QID in AssetView or within the VM Dashboard by using the following QQL query:
This will return a list of all impacted hosts.
You can also create a Dashboard to track all Citrix vulnerabilities as shown in the template below:
Finding Vulnerable Hosts
The fastest way to locate vulnerable hosts is though the Qualys Threat Protection Live Feed as seen here:
Simply click on the Impacted Assets number to see a list of hosts with this vulnerability.
Customers are recommended to apply Citrix’s Mitigation Steps for CVE-2019-19781 as soon as possible. Also, customers can check their systems for exploit attempts using “grep” for requests that contain “vpns” and “..”.
Qualys customers can scan their network with QID 372305 to detect vulnerable assets.