{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-002.pdf"
    },
    "title": "UPDATE: Critical Vulnerability in Citrix Products",
    "serial_number": "2020-002",
    "publish_date": "13-01-2020 11:22:00",
    "description": "A critical vulnerability affecting Citrix products has been disclosed in December 2019. The vulnerability, identified as CVE-2019-19781, could allow an attacker to get access to the internal network without requiring authentication. Numerous exploits to leverage this vulnerability have been publicly released. As of 24/01/2020 all patches are available, but an investigation of potential compromises is advised.",
    "url_title": "2020-002",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in Citrix Products'\nversion: '1.6'\nnumber: '2020-002'\ndate: 'February 3, 2020'\n---\n\n_History:_\n\n* _13/01/2020 --- v1.0 -- Initial publication_\n* _14/01/2020 --- v1.1 -- Updated with risks associated with common Cloud Services_\n* _15/01/2020 --- v1.2 -- Updated with guidelines for investigating affected systems_\n* _16/01/2020 --- v1.3 -- Updated with additional affected products and versions_\n* _20/01/2020 --- v1.4 -- Updated with information about some patches available_\n* _24/01/2020 --- v1.5 -- Updated with additional detection tools and more patches available_\n* _03/03/2020 --- v1.6 -- Updated with additional investigation guidelines_\n\n# Summary\n\nA critical vulnerability affecting Citrix products has been disclosed in December 2019 [1]. The vulnerability, identified as CVE-2019-19781, could allow an attacker to get access to the internal network without requiring authentication. Numerous exploits to leverage this vulnerability have been publicly released [6, 7, 8]. **As of 24/01/2020 all patches are available, but an investigation of potential compromises is advised.**\n\n# Technical Details\n\nThe affected Citrix products fail to restrict access to Perl scripts using directory traversal [2]. A remote attacker could provide crafted contents to these scripts without being authenticated. This results in an **arbitrary code execution** [5].\n\n# Products Affected\n\nThis vulnerability affects the following products [5]:\n\n* Citrix ADC and Citrix Gateway version 13.0 all supported builds\n* Citrix ADC and NetScaler Gateway version 12.1 all supported builds\n* Citrix ADC and NetScaler Gateway version 12.0 all supported builds\n* Citrix ADC and NetScaler Gateway version 11.1 all supported builds\n* Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds\n* Citrix SD-WAN WANOP software and appliance models 4000, 4100, 5000,  and 5100 all supported builds\n\n# Recommendations\n\nPermanent fixes for the affected products are now available [11, 13]. It is recommended to patch as soon as possible. These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated [11]. In addition, it is advised to change the default root password of these appliances as it seems to be easily retrievable [9].\n\nWhere patching is not possible, Citrix has provided some steps to mitigate the problem [4, 5, 6]. It is highly recommended to mitigate this vulnerability followings the steps provided by Citrix, and then patch as soon as possible.\n\nWhen investigating potential compromised Citrix installation, the CVE-2019-19781 DFIR Notes in [10] may be used as a guideline. Also, FireEye has published a scanner that can help in detecting compromised systems [12, 13]. Additionally, US-CERT has also published an investigation guidelines that should help in detecting potential compromises that could have happened before the mitigations or patches were applied [14].\n\n# References\n\n[1] <https://www.bleepingcomputer.com/news/security/critical-citrix-flaw-may-expose-thousands-of-firms-to-attacks/>\n\n[2] <https://www.kb.cert.org/vuls/id/619785/>\n\n[3] <https://support.citrix.com/article/CTX267679>\n\n[4] <https://support.citrix.com/user/alerts>\n\n[5] <https://support.citrix.com/article/CTX267027>\n\n[6] <https://www.zdnet.com/article/proof-of-concept-code-published-for-citrix-bug-as-attacks-intensify/>\n\n[7] <https://github.com/projectzeroindia/CVE-2019-19781>\n\n[8] <https://github.com/cisagov/check-cve-2019-19781>\n\n[9] <https://twitter.com/KevTheHermit/status/1216318333219491840>\n\n[10] <https://x1sec.com/CVE-2019-19781-DFIR>\n\n[11] <https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/>\n\n[12] <https://github.com/fireeye/ioc-scanner-CVE-2019-19781/>\n\n[13] <https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/>\n\n[14] <https://www.us-cert.gov/ncas/alerts/aa20-031a>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>13/01/2020 --- v1.0 -- Initial publication</em></li><li><em>14/01/2020 --- v1.1 -- Updated with risks associated with common Cloud Services</em></li><li><em>15/01/2020 --- v1.2 -- Updated with guidelines for investigating affected systems</em></li><li><em>16/01/2020 --- v1.3 -- Updated with additional affected products and versions</em></li><li><em>20/01/2020 --- v1.4 -- Updated with information about some patches available</em></li><li><em>24/01/2020 --- v1.5 -- Updated with additional detection tools and more patches available</em></li><li><em>03/03/2020 --- v1.6 -- Updated with additional investigation guidelines</em></li></ul><h2 id=\"summary\">Summary</h2><p>A critical vulnerability affecting Citrix products has been disclosed in December 2019 [1]. The vulnerability, identified as CVE-2019-19781, could allow an attacker to get access to the internal network without requiring authentication. Numerous exploits to leverage this vulnerability have been publicly released [6, 7, 8]. <strong>As of 24/01/2020 all patches are available, but an investigation of potential compromises is advised.</strong></p><h2 id=\"technical-details\">Technical Details</h2><p>The affected Citrix products fail to restrict access to Perl scripts using directory traversal [2]. A remote attacker could provide crafted contents to these scripts without being authenticated. This results in an <strong>arbitrary code execution</strong> [5].</p><h2 id=\"products-affected\">Products Affected</h2><p>This vulnerability affects the following products [5]:</p><ul><li>Citrix ADC and Citrix Gateway version 13.0 all supported builds</li><li>Citrix ADC and NetScaler Gateway version 12.1 all supported builds</li><li>Citrix ADC and NetScaler Gateway version 12.0 all supported builds</li><li>Citrix ADC and NetScaler Gateway version 11.1 all supported builds</li><li>Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds</li><li>Citrix SD-WAN WANOP software and appliance models 4000, 4100, 5000, and 5100 all supported builds</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Permanent fixes for the affected products are now available [11, 13]. It is recommended to patch as soon as possible. These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated [11]. In addition, it is advised to change the default root password of these appliances as it seems to be easily retrievable [9].</p><p>Where patching is not possible, Citrix has provided some steps to mitigate the problem [4, 5, 6]. It is highly recommended to mitigate this vulnerability followings the steps provided by Citrix, and then patch as soon as possible.</p><p>When investigating potential compromised Citrix installation, the CVE-2019-19781 DFIR Notes in [10] may be used as a guideline. Also, FireEye has published a scanner that can help in detecting compromised systems [12, 13]. Additionally, US-CERT has also published an investigation guidelines that should help in detecting potential compromises that could have happened before the mitigations or patches were applied [14].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/critical-citrix-flaw-may-expose-thousands-of-firms-to-attacks/\">https://www.bleepingcomputer.com/news/security/critical-citrix-flaw-may-expose-thousands-of-firms-to-attacks/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.kb.cert.org/vuls/id/619785/\">https://www.kb.cert.org/vuls/id/619785/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.citrix.com/article/CTX267679\">https://support.citrix.com/article/CTX267679</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.citrix.com/user/alerts\">https://support.citrix.com/user/alerts</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.citrix.com/article/CTX267027\">https://support.citrix.com/article/CTX267027</a></p><p>[6] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.zdnet.com/article/proof-of-concept-code-published-for-citrix-bug-as-attacks-intensify/\">https://www.zdnet.com/article/proof-of-concept-code-published-for-citrix-bug-as-attacks-intensify/</a></p><p>[7] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/projectzeroindia/CVE-2019-19781\">https://github.com/projectzeroindia/CVE-2019-19781</a></p><p>[8] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/cisagov/check-cve-2019-19781\">https://github.com/cisagov/check-cve-2019-19781</a></p><p>[9] <a rel=\"noopener\" target=\"_blank\" href=\"https://twitter.com/KevTheHermit/status/1216318333219491840\">https://twitter.com/KevTheHermit/status/1216318333219491840</a></p><p>[10] <a rel=\"noopener\" target=\"_blank\" href=\"https://x1sec.com/CVE-2019-19781-DFIR\">https://x1sec.com/CVE-2019-19781-DFIR</a></p><p>[11] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/\">https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/</a></p><p>[12] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/fireeye/ioc-scanner-CVE-2019-19781/\">https://github.com/fireeye/ioc-scanner-CVE-2019-19781/</a></p><p>[13] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/\">https://www.citrix.com/blogs/2020/01/23/fixes-now-available-for-citrix-adc-citrix-gateway-versions-12-1-and-13-0/</a></p><p>[14] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.us-cert.gov/ncas/alerts/aa20-031a\">https://www.us-cert.gov/ncas/alerts/aa20-031a</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}