Looks like there is big trouble in little China here. There is a responder policy you can put into place to mitigate this CVE until the software is released to update your ADC. All credit here goes to Citrix hosting the information. I’m just providing you a quick link back to the action! For those that want to know more, I found this great explanation of what happens with this exploit.

Citrix NetScaler CVE-2019-19781: What You Need to Know

https://support.citrix.com/article/CTX267679

For those that do not wish to follow the link, I have the info below!

Standalone:

enable ns feature responder
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\""
add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
save config 

shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" 
reboot 

For your HA users out there:
On primary:

enable ns feature responder add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\"" add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403 bind responder global ctx267027 1 END -type REQ_OVERRIDE save config  shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" 
reboot
  
On secondary after primary comes up:

shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" 
reboot 

Good news, is that they have released dates for the firmware!

Citrix ADC and Citrix Gateway
Version Refresh Build Expected Release Date
10.5 10.5.70.x 31st January 2020
11.1 11.1.63.x 20th January 2020
12.0 12.0.63.x 20th January 2020
12.1 12.1.55.x 27th January 2020
13.0 13.0.47.x 27th January 2020
Citrix SD-WAN WANOP 
10.2.6 11.1.63.x TBD
11.0.3 11.1.63.x TBD

Leave a Comment

Your email address will not be published. Required fields are marked *