Threat Signal Report

Proof Of Concept for CVE-2019-19781 (Vulnerability in Citrix Application Delivery Controller and Citrix Gateway) Published

description-logo Description

FortiGuard Labs SE team is aware of new proof of concept available targeting Citrix Gateway, CVE-2019-19781 (Vulnerability in Citrix Application Delivery Controller and Citrix Gateway) released over the weekend. The vulnerability was first identified in December, and disclosed to Citrix by researchers. The Citrix Application Delivery Controller (ADC) (previously known as NetScaler ADC) and Citrix Gateway (previously known as NetScaler Gateway) if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

What is the vulnerability specifically?
At this time, details of the vulnerability have not been disclosed. However, according to researchers at Qualys, it appears that the vulnerability suggests the VPN handler fails to sufficiently sanitize user-supplied inputs. The exploit attempt would include HTTP requests with '/../' and '/vpns/' in the URL. The responder policy rule checks for string "/vpns/" and if user is connected to the SSLVPN, will result in a 403 response.

What is the impact of this issue?
High. Because exploitation is trivial and does not require an unauthenticated user to execute commands, an attacker can access the private network of the targeted victim and carry out arbitrary code execution. As exploitation is trivial it can be performed by anyone without knowledge of user credentials or accounts; and attacks that originate from the affected device can be leveraged to target other victim assets by allowing attackers to gain a foothold which will ultimately allow for pivoting within the victims' network. Furthermore, due to the newly available proof of concept code available online, in the wild attacks are expected to occur soon.

What products and platform/versions are affected?
Citrix ADC and Citrix Gateway version 13.0 all supported builds
Citrix ADC and NetScaler Gateway version 12.1 all supported builds
Citrix ADC and NetScaler Gateway version 12.0 all supported builds
Citrix ADC and NetScaler Gateway version 11.1 all supported builds
Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

What is the status AV and IPS coverage?
Fortinet customers running the latest IPS definitions are protected by the following signature: Citrix.Application.Delivery.Controller.VPNs.Directory.Traversal

AV coverage for this event is not feasible.

Are there any mitigations made available by the vendor?
According to Citrix, there is no mitigation available at this time for the affected devices. A firmware update will be released sometime at the last week of January. For customers of Citrix running affected products, please visit the reference section for a link to the Official Citrix support forum for CVE-2019-19781.

References (External Links):
Citrix CVE-2019-19781 Advisory
Citrix CVE-2019-19781 Support Forum
Proof Of Concept for CVE-2019-19781


Traffic Light Protocol

Color When Should it Be used? How may it be shared?


Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.


Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.


Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.


Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.