CITRIX-CHECKER

PLEASE USE OUR CHECKER TWO TIMES TO BE SURE

INFORMATION

This website gives you the results if your service is vulnerable for CVE-2019-19781. 

Permanent fixes for CVE-2019-19781 ADC versions 11.1 and 12.0 are available

https://www.citrix.com/downloads/citrix-adc/ Permanent fixes for CVE-2019-19781 ADC versions 11.1 and 12.0 are available now on https://www.citrix.com/downloads/citrix-adc/: These fixes also apply to Citrix ADC/Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). It is necessary to upgrade all Citrix ADC/Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC/Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes. 12.1, 13.0, 10.5 builds are still as planned in the CVE KB https://support.citrix.com/article/CTX267027

Responder policy to mitigate: (its not fully safe)

To apply the mitigate fix login to the console or access it with putty and login. Default username: nsroot default password: nsroot You can run the following codes after you succesfully logged in: enable ns feature responder add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\"" add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403 bind responder global ctx267027 1 END -type REQ_OVERRIDE save config You can also apply it on the management interface by running the next commands: shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" reboot There is a few ways to identify that your maybe compromized or atleast a victim. Login again to the console or terminal and run the next commands and you will see dates + random files(like DxzXvx.xml) created. shell ls -l /netscaler/portal/templates/ ls -l /netscaler/portal/scripts/ ls -l /var/tmp/netscaler/portal/templates/ ls -l /var/vpn ls -l /var/vpns ls -l /etc/crontab cat /etc/crontab Not verified solution but perhaps it can minimize the effect: Login to NS start with: shell chmod -R 700 /netscaler/portal/templates/ chmod -R 700 /netscaler/portal/scripts/ chmod -R 700 /var/tmp/netscaler/portal/templates/ chmod -R 700 /var/vpn/bookmark chown -R root:wheel /netscaler/portal/templates/ chown -R root:wheel /netscaler/portal/scripts/ chown -R root:wheel /var/tmp/netscaler/portal/templates/ chown -R root:wheel /var/vpn/bookmark The default permissions are mostly drwxr-xr-x 3 root wheel or drwxr-xr-x 4 nobody wheel There are also pentesters/white(ethical hackers)/grey hats which are also exploiting to see the impact and show companies that they are vulnerable. We are using the vulnerability checker code of Trustedsec which is made by Rob Simon and David Kennedy. If there are any questions you can contact info@senux-it.nl