NetScaler ADC的Citrix应用程序交付控制器(ADC)和以前称为NetScaler Gateway的Citrix Gateway中,已发现一个漏洞,如果利用该漏洞,则可能允许未经身份验证的攻击者执行任意代码执行。

已为漏洞分配了以下CVE编号:

•CVE-2019-19781:Citrix Application Delivery Controller和Citrix Gateway中的漏洞导致任意代码执行

该漏洞影响所有受支持的产品版本和所有受支持的平台:

•Citrix ADC和Citrix Gateway版本13.0所有受支持的内部版本

•Citrix ADC和NetScaler Gateway版本12.1所有受支持的内部版本

•Citrix ADC和NetScaler Gateway版本12.0所有受支持的内部版本

•Citrix ADC和NetScaler Gateway版本11.1所有受支持的内部版本

•Citrix NetScaler ADC和NetScaler Gateway版本10.5所有受支持的内部版本

Mitigation Steps for CVE-2019-19781

Solution

The following configuration changes serve as a mitigation to the aforementioned vulnerability.

Standalone System

Run the following commands from the command line interface of the appliance to create a responder action and policy:

enable ns feature responder
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\""
add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
save config 

Ensure that the changes apply to the management interfaces as well. From the command line interface, please run the following commands.

shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0
shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler"
reboot

HA Pair

On primary:

enable ns feature responder
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\""
add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
save config 
shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0
shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler"
reboot

 On secondary after primary comes up:

shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0
shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler"
reboot

Cluster

On CLIP:

enable ns feature responder
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\""
add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
save config 
shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0
shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler"
reboot

Each cluster node:

shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0
shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler"
reboot

Admin partition

switch ns partition default
enable ns feature responder
add responder action respondwith403 respondwith "\"HTTP/1.1 403 Forbidden\r\n\r\n\""
add responder policy ctx267027 "HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/vpns/\") && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\"/../\"))" respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE
save config
shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0
shell "echo 'nsapimgr_wr.sh -ys skip_systemaccess_policyeval=0' >> /nsconfig/rc.netscaler"
reboot

Procedure to revert the changes (Standalone,CLIP, HA Primary)

unbind responder global ctx267027
rm responder policy ctx267027
rm responder action respondwith403
save config

Remove nsapi command from rc.netscaler. (Below command will search rc.netscaler file for the below pattern and remove the line that was originally added)

shell nsapimgr_wr.sh -ys skip_systemaccess_policyeval=1
shell "sed -i '' '/skip_systemaccess_policyeval=0/d' /nsconfig/rc.netscaler"
reboot

The reboot, in each of the scenarios above, is not necessary to apply the policy but it is a precautionary step to ensure that if there are any open sessions,obtained via the vulnerability prior to policy application, are cleared.

官方KB: https://support.citrix.com/article/CTX267679

发表评论

电子邮件地址不会被公开。 必填项已用*标注