|
@wdormann | |||||
|
Note that Citrix is rolling out changes to address CVE-2019-19781 for some versions at support.citrix.com/article/CTX267…
Unauthenticated users no longer appear to be able to request the pages in question. pic.twitter.com/kh2oJlOd10
|
||||||
|
||||||
|
Will Dormann
@wdormann
|
10. sij |
|
The cat's pretty much out of the bag on how to exploit this. Expect widespread exploitation attempts for CVE-2019-19781 at this point.
Despite being almost a month old, there is NO PATCH from @citrix at this point. Only a (very important) mitigation.
kb.cert.org/vuls/id/619785/ twitter.com/HackingDave/st… pic.twitter.com/mYyokzy2pq
|
||
|
|
||
|
Will Dormann
@wdormann
|
10. sij |
|
You don't need to run a working exploit to know if a system is vulnerable or not, though. Simply visit:
CITRIXGATEWAY/vpns/cfg/smb.conf
in your web browser or script or whatever.
If you get a file, the system is vulnerable.
If you get a 403, it has had mitigations applied.
|
||
|
|
||
|
Will Dormann
@wdormann
|
10. sij |
|
Also, FreeBSD 8.4 was EOL'd years ago. And even FreeBSD v. current doesn't even have ASLR enabled (not that it'd matter in this particular case).
And this is something you're exposing directly to the Internet?
YOLO!
|
||
|
|
||
|
Will Dormann
@wdormann
|
16. sij |
|
Note that Citrix has updated support.citrix.com/article/CTX267… since its initial release. Two notable changes:
1) Citrix SD-WAN WANOP has been added to affected products.
2) Citrix ADC Release 12.1 builds before 51.16/51.19 and 50.31 have bugs that make the mitigations not work. Whoops!
|
||
|
|
||
|
Will Dormann
@wdormann
|
16. sij |
|
And just for the record, /vpn/../vpns/cfg/smb.conf is the more universal form of the URI to test the vulnerability. The directory traversal is required for IPs listening for the VPN Virtual server.
e.g.
curl https:// CITRIXGATEWAY /vpn/../vpns/cfg/smb.conf --path-as-is -k
|
||
|
|
||