Check your website for CVE-2019-19781 Vulnerable
#VISIT https://citrix-checker.com TO CHECK IF YOU ARE VULNERABLE FOR CVE-2019-19781
PLEASE USE OUR CHECKER TWO TIMES TO BE SURE
This website gives you the results if your service is vulnerable for CVE-2019-19781. There is a responder policy to mitigate the issue until there is a permanent fix.
To apply the fix login to the console or access it with putty and login. Default username: nsroot default password: nsroot
You can run the following codes after you succesfully logged in:
- enable ns feature responder
- add responder action respondwith403 respondwith ""HTTP/1.1 403 Forbidden\r\n\r\n""
- add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS("/vpns/") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS("/../"))" respondwith403
- bind responder global ctx267027 1 END -type REQ_OVERRIDE
- save config
You can also apply it on the management interface by running the next commands:
- shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0
- shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" reboot
There is a few ways to identify that your maybe compromized or atleast a victim. Login again to the console or terminal and run the next commands and you will see dates + random files(like DxzXvx.xml) created. shell
- ls -l /netscaler/portal/templates/
- ls -l /netscaler/portal/scripts/
- ls -l /var/tmp/netscaler/portal/templates/
- ls -l /var/vpn
- ls -l /var/vpns
- ls -l /etc/crontab
- cat /etc/crontab
Not verified solution but perhaps it can minimize the effect: Login to NS start with: shell chmod -R 700 /netscaler/portal/templates/ chmod -R 700 /netscaler/portal/scripts/ chmod -R 700 /var/tmp/netscaler/portal/templates/ chmod -R 700 /var/vpn/bookmark
chown -R root:wheel /netscaler/portal/templates/ chown -R root:wheel /netscaler/portal/scripts/ chown -R root:wheel /var/tmp/netscaler/portal/templates/ chown -R root:wheel /var/vpn/bookmark
The default permissions are mostly
- drwxr-xr-x 3 root wheel or
- drwxr-xr-x 4 nobody wheel
There are also pentesters/white(ethical hackers)/grey hats which are also exploiting to see the impact and show companies that they are vulnerable.
We are using the vulnerability checker code of Trustedsec which is made by Rob Simon and David Kennedy. If there is any questions you can contact info@senux-it.nl