Citrix NetScaler CVE-2019-19781
Vulnerability CVE-2019-19781 in Citrix NetScaler has been a pain for organizations’ IT departments for the last two weeks and it still keeps us busy supporting our clients responding to attacks.
Citrix NetScaler systems have been badly attacked, especially since the first exploits were published end of last week. Since then, scripts scan the whole Internet for vulnerable systems and attack them automatically. Attackers operating these scripts just wait for shells to pop up to provide them access to these systems.
It is a good example of how proper patch management processes and timely reaction to vendor security notices can save you costs in the long run.
Citrix has not published a patch yet, but they provide a workaround to mitigate the vulnerability. However, it does not work on all versions of Citrix NetScaler, which means you might also have to upgrade.
Be aware that even if you have secured your systems with the workaround, your NetScalers might have been successfully attacked before already. Especially if you only applied the workaround after exploits were published. Applying the workaround does not mean that your systems are clean!
Indicators of Compromise
- Check firewall logs for outgoing connections from Citrix NetScaler systems. Such connections are suspicious, because NetScaler usually does not connect to the Internet.
- Check your NetScaler or network logs for HTTP requests to */scripts/newbm.pl*. This script is used in most exploits and these requests indicate attacks.
- Check NetScaler files system for XML files in /netscaler/portal/templates/. In these files you can usually find commands executed by attackers. However, attackers could have deleted these files already.
- Check NetScaler file systems for changed files in /netscaler/portal/scripts/. We have seen attackers create backdoors in this directory. Check MAC-times and the file contents. Be aware that attackers try to disguise their scripts and make them appear legitimate, so examine them in detail or compare them to a clean system.
- Check NetScalers for cron jobs created by attackers to get persistence on the system.
Inspect the notice log for suspicious commands executed. There might be system enumeration commands (such as cat /proc/version or cat /etc/passwd) or attempts to download malicious code (such as curl or wget).
We identified the following further Indicators of Compromise (IoCs):
- 95.179.163.186
- 61.218.225.74
- 185.178.45.221
- https://pastebin.com/raw/d3SY1erQ
See also here for a summary of some more publicly known IoCs.
Update 23.01.2020:
Citrix and Fireeye released a tool to search for known Indicators of Compromise on NetScaler systems. It can be used to identify compromised systems.