CoNetrix strongly recommends all your organization implement the appropriate mitigation measures for this confirmed vulnerability. CoNetrix has implemented the mitigation steps for all CoNetrix Technology and Aspire customers.
On December 17, 2019, Citrix announced a directory traversal vulnerability in the Citrix Application Delivery Controller (formerly NetScaler ADC) and Citrix Gateway (formerly NetScaler Gateway) products. If exploited, this vulnerability could allow an unauthenticated attacker to perform arbitrary code execution. This is similar to the Fortigate vulnerability in 2019.
Citrix Security Bulletin: https://support.citrix.com/article/CTX267027
Citrix has not yet released the security update for this vulnerability. However, they have provided some configuration changes that mitigate the issue: https://support.citrix.com/article/CTX267679
How to Quickly Check for this Vulnerability
CoNetrix Security penetration testers were able to confirm the vulnerability by checking the response when browsing to a specific URL (https:// <IP address> /vpn/../vpns/cfg/smb.conf). If you perform the same action and are able to read the smb.conf file, this is confirmation that your system is vulnerable. If the mitigation is in place you will receive a 403 Forbidden error (or potentially some other error message). Also, CoNetrix Technology engineers discovered IDS/IPS signatures for this exploit, but they were not set to 'block' by default by the IDS/IPS vendor.
How to Mitigate this Vulnerability
As noted in the Security Bulletin, the patch is scheduled to be released by Citrix in the next few weeks. However, this is being actively exploited in the wild, so we encourage you to apply the recommended mitigation steps as quickly as possible.
Steps to Take Post-Mitigation
Remember, it is important to validate the mitigation is working as expected after applying the configuration.
Once the mitigation steps have been implemented, we recommend consulting with appropriate vendors to determine if there is any evidence of the system being compromised. A few indicators to look for include, but should not be limited to:
- Review the systems active processes and connections to the Internet.
- Working with Citrix to review system logs for any potentially suspicious connections attempts.
- Working with your IDS and/or firewall vendor to review any potentially suspicious connections attempts.
- Checking for newly created XML files in the /netscaler/portal/ /var/tmp/netscaler/portal/ directories and sub-directories.
- Searching for and reviewing any newly created files or scripts. Some exploit Intel has indicated perl scripts being added to the /netscaler/portal/scripts/ directory.
- Look for any CRON jobs that have been added to provide an attacker persistence even after the vulnerability is patched.
CoNetrix has implemented the mitigation steps for all CoNetrix Technology and Aspire customers. CoNetrix Security has reviewed data collected during penetration tests from the previous year and notified customers that had this vulnerability. If you are not a CoNetrix customer and would like additional information or assistance with implementing these mitigation steps, we encourage you to contact us.