Jump to content
Welcome to our new Citrix community!

Necessary Questions to and for Citrix on the CVE-2019-19781 Vulnerability

Wolfgang Ruttscheidt1709161626
 Share

Recommended Posts

Wolfgang Ruttscheidt1709161626 Rookie

Wolfgang Ruttscheidt1709161626

Posted
Posted

Questions to the community and to Citrix directly:

Question to Citrix: I would like a 100% statement if NetScaler devices in the Citrix Cloud were attacked. If so, what measures were taken?

Question to Citrix: Were all partners fully informed with all technical details about the vulnerability and potential threats - by that I do not mean the reference to the single document "CTX267679 - Mitigation steps for CVE-2019-19781". There is no clear recommendation from Citrix on how to act in case of a vulnerability.

Question to Citrix : Due to the vulnerability, the configuration data of NetScaler, passwords of nsroot, and passwords of ALL users who have ever logged in via NetScaler at some point in time have been transferred to the outside world. What action does CITRIX recommend? Exact details please!

Question to Citrix :Some NetScalers/ADC use the FreeBSD operating system as Linux system. However, the corresponding version of the NetScaler operating system is "OUT-OF-DATE".
 When will there be changes and updates?


According to the manufacturer, security updates will not be available until the end of January 2020, depending on the version branch of the affected products. These should then be installed as soon as possible, according to Citrix I Seriously wonder why it takes about 6 weeks to close such a large security hole, which was known since 17.12.2019. That can only mean that:


1. Citrix itself is not technically capable of handling the problem
2. Citrix does not have sufficient trained personnel to deal with the problem as quickly as possible
3. Citrix may be pushing the "cloud" strategy. Perhaps the statement "This wouldn't have happened in the cloud" will come in mid-February - let's see what else we can expect.

In Germany alone, almost 5,000 vulnerable Citrix systems accessible from the Internet have been reported to German network operators in the past few days. Currently, around 1,500 of these are still vulnerable to attackers. (Source BSI). Worldwide, about 40,000 systems are likely to be affected.  Unfortunately Citrix reacts slowly, workarounds and patches are not offered comprehensively and solutions are recommended. A "shutdown" of the systems is certainly no solution, but at most a "workaround".

Citrix provides an analysis tool (CTX269180) for a potential attack. But Citrix also says:

"Please note that the tool is not designed to detect the vulnerability against the NSIP or other Management IPs" - well, have fun with it, wouw!

 

There are about 20 risks that have been identified. Including a file with all passwords of nsroot and all users who have ever logged in. Either you find the passwords in plain text or as hash value. It is not difficult to decrypt the seemingly "difficult" passwords. Processes, scripts, files etc. are exchanged or executed.
The danger is considered extremely high. I am surprised that Citrix does not consider it necessary to open an open communication about this topic or to work out a solution. In my opinion it would be necessary for all companies that have been attacked to make public statements. Data of many customers/persons/companies are currently in danger. Information is EVERYTHING . Many companies are affected, but also Citrix, whose share price is in great danger.  One now has a few alternatives.
1. remove NetScaler from the network - until a patch may be available at the end of the month and reinstall all
2. precise analysis of the appliance(s), this is unfortunately very (time) expensive - but feasible
3. security check the entire network and proactively introduce security measures.
 


I am waiting for good answers dear friends! Thanks for any information.

 

Wolfgang
 

 

Link to comment
Share on other sites
Wolfgang Ruttscheidt1709161626 Rookie

Wolfgang Ruttscheidt1709161626

Posted
  • Author
Posted
17 hours ago, Wolfgang Ruttscheidt1709161626 said:

No answers from Citrix ???? 

More information: PLEASE READ - Citrix "I would like to have answers

Did you know that Citrix ADC (including 13.x) is running on an unspported version of FreeBSD? FreeBSD 8.4 was already EOL on August 1,2015

 

Quote

 

 

Questions to the community and to Citrix directly:

Question to Citrix: I would like a 100% statement if NetScaler devices in the Citrix Cloud were attacked. If so, what measures were taken?

Question to Citrix: Were all partners fully informed with all technical details about the vulnerability and potential threats - by that I do not mean the reference to the single document "CTX267679 - Mitigation steps for CVE-2019-19781". There is no clear recommendation from Citrix on how to act in case of a vulnerability.

Question to Citrix : Due to the vulnerability, the configuration data of NetScaler, passwords of nsroot, and passwords of ALL users who have ever logged in via NetScaler at some point in time have been transferred to the outside world. What action does CITRIX recommend? Exact details please!

Question to Citrix :Some NetScalers/ADC use the FreeBSD operating system as Linux system. However, the corresponding version of the NetScaler operating system is "OUT-OF-DATE".
 When will there be changes and updates?


According to the manufacturer, security updates will not be available until the end of January 2020, depending on the version branch of the affected products. These should then be installed as soon as possible, according to Citrix I Seriously wonder why it takes about 6 weeks to close such a large security hole, which was known since 17.12.2019. That can only mean that:


1. Citrix itself is not technically capable of handling the problem
2. Citrix does not have sufficient trained personnel to deal with the problem as quickly as possible
3. Citrix may be pushing the "cloud" strategy. Perhaps the statement "This wouldn't have happened in the cloud" will come in mid-February - let's see what else we can expect.

In Germany alone, almost 5,000 vulnerable Citrix systems accessible from the Internet have been reported to German network operators in the past few days. Currently, around 1,500 of these are still vulnerable to attackers. (Source BSI). Worldwide, about 40,000 systems are likely to be affected.  Unfortunately Citrix reacts slowly, workarounds and patches are not offered comprehensively and solutions are recommended. A "shutdown" of the systems is certainly no solution, but at most a "workaround".

Citrix provides an analysis tool (CTX269180) for a potential attack. But Citrix also says:

"Please note that the tool is not designed to detect the vulnerability against the NSIP or other Management IPs" - well, have fun with it, wouw!

 

There are about 20 risks that have been identified. Including a file with all passwords of nsroot and all users who have ever logged in. Either you find the passwords in plain text or as hash value. It is not difficult to decrypt the seemingly "difficult" passwords. Processes, scripts, files etc. are exchanged or executed.
The danger is considered extremely high. I am surprised that Citrix does not consider it necessary to open an open communication about this topic or to work out a solution. In my opinion it would be necessary for all companies that have been attacked to make public statements. Data of many customers/persons/companies are currently in danger. Information is EVERYTHING . Many companies are affected, but also Citrix, whose share price is in great danger.  One now has a few alternatives.
1. remove NetScaler from the network - until a patch may be available at the end of the month and reinstall all
2. precise analysis of the appliance(s), this is unfortunately very (time) expensive - but feasible
3. security check the entire network and proactively introduce security measures.
 


I am waiting for good answers dear friends! Thanks for any information.

 

Wolfgang
 

 

 

Link to comment
Share on other sites
Wolfgang Ruttscheidt1709161626 Rookie

Wolfgang Ruttscheidt1709161626

Posted
  • Author
Posted

Shutting down all NetScaler systems? In my opinion "YES" 

 

I would like to point out that Citrix NetScaler has discovered an additional vulnerability in 2 HTTP headers. Since the first Proof of Concept (PoC) exploits were published, attacks on the Citrix ADC have been detected.

 

During an analysis it was found that two known exploits leave files in the following directories:
/var/tmp/netscaler/portal/templates
/netscaler/portal/templates


To detect vulnerable systems, the following command must be entered in the shell of the Citrix ADC/Netscaler:

curl https://host/vpn/../vpns/cfg/smb.conf --path-as-is

 

A response code of 200 means that the Citrix ADC/Netscaler is vulnerable. A 403 response code indicates that the workaround to mitigate the bug exists. A 404 response probably means that it is not a Citrix ADC or other vulnerable system. 

 

404 Exploit Not Found: 
Does the above test report back the code 404 Exploit Not Found? Then it is possible that the Citrix ADC/Netscaler has already been visited by a bot. 
Whoever knows a secret passphrase can access the Citrix ADC/Netscaler. A hidden access opens the access to Citrix ADC/Netscaler devices for a later attack

 

I would also like to point out that a ROOT password changed by you is not a secure solution. 
It has happened in the last 5 days that the original password for the user ROOT has been reset. I can only imagine that an "old" CONFIG FILE has been copied back by the attacker.
I will continue to analyze the threat and provide more information. 

 

Wolfgang

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

© Cloud Software Group, Inc. All rights reserved.

×
×
  • Create New...