<img alt="" src="https://secure.hiss3lark.com/173130.png" style="display:none;">

Datashield's Resource Library

Read all of our news, articles, reviews, and more in our company blog

All Posts

Citrix Vulnerability Mitigation (CVE-2019-19781)

CVE

This post is an informational announcement detailing the Citrix NetScaler Vulnerability and what Datashield is doing to help our customers detect and mitigate the issue.

Since the announcement of the vulnerability in Citrix devices (CVE-2019-19781) Datashield has performed extensive analysis and research on exploit attempts, attack patterns, and the latest intelligence. Citrix released security bulletin CTX267027 containing information on a vulnerability in various Citrix Products. This allows an unauthenticated attack that allows remote code execution.

Detection:

It is currently difficult to determine the exact origin of an attack against Citrix devices using the CVE-2019-19781 vulnerability.  Attacks are encrypted and are therefore difficult to detect without packet capture with decryption solutions, making traditional web attack detection methods less useful and reliable.  The best method for detection of this type of attack is to monitor for unexpected connections from Citrix devices to out-of-country IPs.  For those with global operations, whitelisting certain IPs or IP ranges may be necessary.  

C2 traffic typically consists of payload retrieval that contains a shell, script, or other backdoor.  This is often observed in plaintext and is the most readily identifiable indication of an attack.

 

Mitigation:

No official patch is currently available, although Citrix mitigations are available for the following Citrix ADC, Citrix Gateway, NetScaler Gateway, and Citrix NetScaler ADC devices:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

Some suggestions for mitigation and containment include:

Block inbound and outbound traffic to

-185.178.45[.]221

-95.179.163[.]186

-62.113.112[.]33

-193.187.174[.]104

-217.12.221[.]12.

-104.168.166[.]234

-104.244.74[.]47

-111.206.52[.]101

-111.206.52[.]81

-111.206.59[.]134

-111.206.59[.]142

-159.69.37[.]196

-167.88.7[.]134

-185.178.45[.]221

-185.212.170[.]163

-185.220.101[.]69

-188.166.106[.]153

-192.236.192[.]119

-192.236.192[.]3

-192.3.255[.]144

-193.187.174[.]104

-217.12.221[.]12

-23.129.64[.]157

-27.115.124[.]70

-27.115.124[.]74

-27.115.124[.]9

-31.134.200[.]75

-45.32.45[.]46

-45.83.67[.]200

-47.52.196[.]15

-47.52.196[.]152

-5.101.0[.]209

-51.68.122[.]93

-61.218.225[.]74

-62.113.112[.]33

-81.110.55[.]125

-82.27.64[.]190

-85.248.227[.]164

-94.140.114[.]194

-95.179.163[.]186

  • Implement Citrix’s recommendations that were provided in the communication DATASHIELD sent out Wednesday January 15th.  For your reference, the recommended Citrix mitigations are here: https://support.citrix.com/article/CTX267679
  • Pull bash history log. The path of the log should be /usr/bin/bash/bash.log.
  • Review cron jobs on the Citrix NetScalers, disable/remove suspicious cron jobs.
  • Change passwords for all users on the device(s).
  • Pull a list of running processes and terminate any confirmed suspicious/malicious processes (specifically running under the user nobody).
  • Review any files that have a file modification date on or after January 10, 2020.  While a file modification date can be manipulated to make forensic analysis harder, it’s recommended to pull and review any of these files.
  • Pull the Apache access logs
  • Review suspicious files within the directories of /netscaler/portal/templates and /var/tmp/netscaler/portal/templates.  If you identify any suspicious files and delete the file(s)/remove the malicious code.
  • Review the Apache error and notice logs for any suspicious activity
  • The Following commands will locate any successful exploit attempts against the device:
       -grep -iE 'POST.*\.pl HTTP/1\.1\" 200 ' /var/log/httpaccess.log -A 1
       -grep -iE 'GET.*\.xml HTTP/1\.1\" 200' /var/log/httpaccess.log -B 1

Post Attack Remediation:

Remediation is expected to take the form of a complete wipe and rebuild of any infected Citrix devices.

Citrix has stated a wipe tool will be available by the end of day on January 16th and will announce when it is available.  Datashield recommends applying the mitigation immediately if devices are not affected by infection.  

If they have been impacted, we recommend standing up isolated, fresh builds of the required devices with the mitigation applied, deploying the fresh builds, and then stand down the infected builds.

References:

Topics from this Article

News, Remote Code Execution, Announcement, Press Release, Application Security, Citrix, CVE

Datashield
Datashield
Official Datashield account for blog content, news, announcements and more. The articles authored include a collaboration between internal staff, specifically the security operations and marketing team.

Related Posts

Top 5 Most Popular Cybersecurity Certifications

The cybersecurity analyst has become the third most valuable job description in the technology industry. The increasing security incidents to IT infrastructure, the demand for accountability from end-users, and the financial cost of successful breaches are significant reasons enterprises and startups are taking cybersecurity seriously. Ambitious professionals who choose a career in IT security are reaping the benefits of securing operating systems and deployed IT infrastructure.

What is Ransomware?

Ransomware is a form of malware cybercriminals use to encrypt data stored in computers or online servers. Cybercriminals demand payment to release the encryption key blocking the user from accessing the encrypted data. Payment is typically made through diverse mediums, including digital currency like Bitcoin. Once payment has been made, the victim is generally provided with instructions on decrypting their data.

Datashield Announces Partnership with Bishop Fox

Two cybersecurity powerhouses partner to provide defensive and offensive security services to boost enterprise companies’ security posture. Scottsdale, Ariz.— Datashield, a Scottsdale-based cybersecurity company, recently inked its partnership with offensive security services firm Bishop Fox. Both companies are based in Arizona and provide outsourced cybersecurity services to top Fortune 500 companies.