New Server Vulnerability – Citrix ADC/Netscaler

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

There was increased concern around two server vulnerabilities this past month: Citrix ADC/Netscaler Vulnerability (CVE-2019-19781) and Pulse VPN Vulnerability (CVE-2019-11510), which you can read about in next week’s blog.

Citrix ADC is a purpose-built networking appliance. It improves the performance and security of applications delivered over the web. This new vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system. Once exploited, remote attackers can access private network resources without requiring authentication.

The vulnerability was first announced in December 2019 and was not patched until late January 2020. In that time, we saw the release of proof-of-concept (PoC) exploit code, scanners, and the building of test tools to determine an organization’s vulnerability to attack.

The first PoC exploit consisted of two curl commands. The first writes a template file which would include a user’s shell command. The second requests to download the result of the command execution. This code was written by “Project Zero India”, a group that fashions themselves as an extension of Google’s Project Zero.

After Project Zero India released its exploit, another PoC exploit was released by the security research group TrustedSec. This PoC was similar to the first, except it was written in Python and established a reverse shell.

A “who can build a PoC” contest took off from there and there were a variety of different implementations. In one notable exploit, after gaining access to a vulnerable NetScaler device, the actor cleaned up known malware and deployed code named “NOTROBIN” to block subsequent exploitation attempts. NOTROBIN maintains backdoor access for those who know a secret passphrase. FireEye researchers believe this actor may be quietly collecting access to NetScaler devices for a subsequent campaign or to build out a network of infected devices to be leased in underground markets.

In addition, a new ransomware called Ragnarok was detected. It is used in targeted attacks against unpatched Citrix ADC servers vulnerable to the CVE-2019-19781 exploit. When attackers compromise a Citrix ADC device, various scripts are downloaded and executed that scan for Windows computers susceptible to the EternalBlue vulnerability.

In response to the threat, DHS CISA released a public domain tool designed to help security staff test if their organizations are vulnerable to ongoing attacks that might target the CVE-2019- 19781 security flaw impacting the Citrix products. Also, CERT/CC released Vulnerability Note VU#619785, which contains mitigation steps describing techniques to block the handling of requests that contain a directory traversal attempt (/../) and also requests attempting to access the /vpns/ directory.

Related reading