Citrix CVE-2019–19781 vulnerability is the current hot topic in Information Security circles this week, as exploits for this vulnerability are now publicly available and may allow unauthenticated attackers to obtain direct access to the company’s local network from the Internet. Citrix NetScaler ADC and Gateway products are vulnerable.
According to cybersecurity expert Kevin Beaumont (aka GossiTheDog on Twitter) who runs a network of Citrix ADC honeypots the active exploitation of CVE-2019–19781 started on January 8th, 2020:
https://twitter.com/GossiTheDog/status/1214892555306971138
According to various estimates 40,000–80,000 organisations worldwide might be affected and vulnerable! Which means that hackers might be able to sneak in to your corporate network through the devices which are supposed to be the gatekeepers into your network! Not good.
Citrix have released the mitigation, which is effectively a policy which detects and blocks the attempts to exploit the attack, however there is no proper patch released yet (as of 10th January 2020) which would fix the underlying problem in the software code.
I strongly advise all organisations with NetScaler/ADC to apply the Citrix mitigation immediately to avoid compromise — the steps to mitigate the vulnerability are documented in the following Citrix Support Article :
CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller and Citrix Gateway
However, in order to patch/apply mitigation to your vulnerable Citrix devices you need to be able to find them first ! IT Asset inventory is a big problem in information security/cyber security as it is the devices/services/servers you don’t know about which pose the biggest risk.
OWASP Nettacker project can help you address the task of scanning multiple devices for this vulnerability as well as the task of finding the vulnerable devices in your network.
What is OWASP Nettacker? OWASP Nettacker in a nutshell is a Swiss Army Knife for Reconnaissance & Vulnerability Scanning — it is a relatively new OWASP project written in Python consisting of multiple modules (63 at the time of writing) which can be used from the single command line (use one or a combination of modules) against a target or a list of targets to perform an information gathering scan or a vulnerability detection scan.
Last night I added a new vulnerability detection module to OWASP Nettacker: citrix_cve_2019_19781_vuln making it the 63rd tool in this framework.
I usually run OWASP Nettacker on my KALI Linux VM, but because OWASP Nettacker is written in Python it can be run on any Linux/Mac/Windows system— provided you have Python2 and Python3 installed.
You can install OWASP Nettacker by doing a ‘git clone https://github.com/zdresearch/OWASP-Nettacker’ from GitHub and installing the Python dependencies using a single command like this:
git clone https://github.com/zdresearch/OWASP-Nettacker.git && cd OWASP-Nettacker && pip install -r requirements.txt && python setup.py install
If you hit any issues please check the Installation section in the OWASP Nettacker Wiki here:
Once OWASP Nettacker is installed change directory to OWASP-Nettacker:
cd OWASP-Nettacker
Now you can run the tool using Python specifying that you need the module citrix_cve_2019_19781_vuln in -m command line switch and your target (IP/IP range/FQDN) in -i like this:
python nettacker.py -i <target> -m citrix_cve_2019_19781_vuln
to scan a single IP address (xxx.xxx.xxx.xxx):
python nettacker.py -i xxx.xxx.xxx.xxx -m citrix_cve_2019_19781_vuln
However if you don’t know how many Citrix devices you have and their precise IP addresses you can use OWASP Nettacker to scan a whole IP range (e.g. xxx.xxx.xxx.xxx/24):
python nettacker.py -i xxx.xxx.xxx.xxx/24 -m citrix_cve_2019_19781_vuln
If you don’t know the IP address ranges of your network but do know that Citrix devices have subdomains (e.g. remote.mycompany.com, vpn.mycompany.com, access.mycompany.com etc) you can ask Nettacker to enumerate subdomains and test them for Citrix vulnerability like this (please note the -s command like switch which instructs Nettacker to discover the subdomains of the domain name listed in the -i ):
python nettacker.py -i mycompany.com -s -m citrix_cve_2019_19781_vuln
If you have the list of IPs/FQDNs of your Citrix devices saved in a file called list.txt (one line per IP or FQDN) you can scan all the devices in your list using the -l command line switch:
python nettacker.py -l list.txt -m citrix_cve_2019_19781_vuln
If you would like to save the OWASP Nettacker report in JSON format instead of the default HTML format you can specify the report output filename using the -o command line switch (-o filename.json) for example
python nettacker.py -i xxx.xxx.xxx.xxx/24 -m citrix_cve_2019_19781_vuln -o report.json
...
Follow me on Twitter: https://twitter.com/securestep9
Top comments (0)