Login

Register

Login

Register

#cybersecurity | #hackerspace |

Citrix ADC and Gateway Remote Code Execution Vulnerability (CVE-2019-19781)


Citrix released a security advisory (CVE-2019-19781) for a remote code execution vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway products. The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers could obtain access to private network resources without requiring authentication.

Vulnerability

The vulnerability affects all supported versions of Citrix ADC and Citrix Gateway products. As Citrix did not disclose many details about the vulnerability, the mitigation steps suggest the VPN handler fails to sufficiently sanitize user-supplied inputs. The exploit attempt would include HTTP requests with ‘/../’ and ‘/vpns/’ in the URL. The responder policy rule checks for string “/vpns/” and if user is connected to the SSLVPN, and sends a 403 response as seen below.

add responder policy ctx267027 “HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(”/vpns/”) && (!CLIENT.SSLVPN.IS_SSLVPN “https://securityboulevard.com/” HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(”/../”))” respondwith403

Detecting CVE-2019-19781

Qualys has issued QID 372305 for Qualys Vulnerability Management that covers authentication and remote vulnerabilities present in affected Citrix products. This QID is included in signature version VULNSIGS-2.4.788-2.

QID 372305 : Citrix ADC And Citrix Gateway Arbitrary Code Execution Vulnerability (CTX267027)

The QID contains a remote and an authenticated signature to check the presence of vulnerability in Citrix Products.
You can search for this new QID in AssetView or within the VM Dashboard by using the following QQL query:

vulnerabilities.vulnerability.qid:372305
vulnerabilities.vulnerability.cveId:`CVE-2019-19781`

This will return a list of all impacted hosts.

You can also create a Dashboard to track all Citrix vulnerabilities as shown in the template below:

 

Finding Vulnerable Hosts

The fastest way to locate vulnerable hosts is though the Qualys Threat Protection Live Feed as seen here:

https://securityboulevard.com/

Simply click on the Impacted Assets number to see a list of hosts with this vulnerability.

Mitigation

Customers are recommended to apply Citrix’s Mitigation Steps for CVE-2019-19781 as soon as possible. Also, customers can check their systems for exploit attempts using “grep” for requests that contain “vpns” and “..”.

Qualys customers can scan their network with QID 372305 to detect vulnerable assets.



Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
HACKER FOR HIRE MURDERS
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW