Citrix NetScaler CVE-2019-19781: What You Need to Know
https://support.citrix.com/article/CTX267679
For those that do not wish to follow the link, I have the info below!
Standalone:
enable ns feature responder add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\"" add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403 bind responder global ctx267027 1 END -type REQ_OVERRIDE save config shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" reboot For your HA users out there: On primary: enable ns feature responder add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\"" add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403 bind responder global ctx267027 1 END -type REQ_OVERRIDE save config shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" reboot On secondary after primary comes up: shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0 shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler" reboot
Good news, is that they have released dates for the firmware!
Citrix ADC and Citrix Gateway | ||
Version | Refresh Build | Expected Release Date |
10.5 | 10.5.70.x | 31st January 2020 |
11.1 | 11.1.63.x | 20th January 2020 |
12.0 | 12.0.63.x | 20th January 2020 |
12.1 | 12.1.55.x | 27th January 2020 |
13.0 | 13.0.47.x | 27th January 2020 |
Citrix SD-WAN WANOP | ||
10.2.6 | 11.1.63.x | TBD |
11.0.3 | 11.1.63.x | TBD |