cloudDNA Citrix ADC (NetScaler) vulnerability CVE-2019-19781 recovery service.

Important, your Citrix ADC (NetScaler) may be compromised!

In December, Citrix announced a vulnerability in it’s Citrix ADC (formally NetScaler ADC), Citrix Gateway (formerly NetScaler Gateway) and Citrix SD-WAN WAN Optimisation Edition (formally CloudBridge WAN Op Edition) appliances across a range of form factors.

In summary, if exploited, an unauthenticated attacker could execute arbitrary code which could extend to anything from service disruption, to the access of cryptographic secrets to render encryption effectively useless or the potential to use the device to penetrate further into the network to access confidential data.

This is a very serious matter and during the recent period that cloudDNA has been working with a number of organisations who have been victims, it has become clear that communication mechanisms utilised by Citrix have been of limited value in some instances – “another mail in a seldom accessed group mailbox” in one example discussed with a customer this week, “…came during the Christmas break” from another. Hopefully, your joiners/movers/leavers policies have mechanisms to update vendor notification systems but if not, follow the prompts on this link to get back in the loop.…

The original notification had a simple mitigation with around half a dozen lines of code that was unobtrusive and simple to apply. Great for those who got and reacted to the message and at this stage in December, while not applying the fix was a significant risk, there was arguably a low chance of probability of a successful attack – it just wasn’t that well known at the time and success needed a lot of skill.

The public publication of exploits.

Fast forward to January 10th and Project Zero India published a working exploit to GitHub which was swiftly followed by TrustedSec publishing their own Python script that effected worked in a very similar way. These actions provided anyone with an interest, web access and a limited knowledge to have a go with evidence published by industry analysts observing the internet being scanned by several groups who then targeted identified machines in vast quantities across the globe.

To put this in context, we’ve seen evidence in a UK Public Sector customer of multiple minor attackers probing a machine prior to a far more sophisticated ‘Mr Big’ attacker pushing past them to install a back door, deep in the file structure of the appliance. The planning here is text book with the attacker attempting to hide their footsteps, before they go onto apply the mitigation fix as they leave (the half a dozen lines of code published by Citrix in December). This final action stops another hacker being able to attack the appliance after they’ve gone so Mr Big can maintain control of the device. Hint – If your appliance has miraculously applied the responder policy mitigation all by itself then this could be you.

At this stage in this example, all appears to lay dormant but evidence from another device suggests that appliance computational resource has been hijacked, assumedly for currency mining. If your appliances are not particularly busy in user terms but are displaying high CPU utilisation in the GUI then this could be something to investigate.

Is your Citrix ADC at risk?

What is clear is that the evidence to date suggests that if you have an appliance online that did not have the mitigation (responder policy) applied prior to January the 10th, there is a strong case to suspect that the appliance may have been compromised and cloudDNA strongly recommend that you act now to resolve the matter. If you have sensitive data behind your appliances then time is very much of the essence.

While there are a number of guides available it’s important to note that assessment of the suitability of the appliance backs ups and the preparation for the recovery process is critical to an effective remediation. We’ve had as many calls from folks who have tried to do it themselves and not been able to get back to the desired state as we’ve had from organisations who’ve asked us to do it on their behalf. Please tread with caution, or give us a call…

As a Citrix Networking Specialist Partner, cloudDNA has already assisted multiple organisations across a wide range of industries with the identification, recovery and protection of exploited appliances across all physical and virtual form factors. We currently have an incident response team dedicated to getting customers back in to a good state as swiftly as possible, often within 24 hours of the initial request for help.

To make things simple, we have a fixed price structure for VPX, MPX and SDX appliance analysis and recovery. We also offer an optional firmware upgrade for feature enhancement or product support requirements plus the ability to pay Credit Card if we don’t currently have a commercial agreement in place. Call our UK based team on 0330 010 3443 or drop a mail to