CVE-2019-19781 :: How could our NetScaler be compromised?
Back in December 2019, we learned of CVE-2019-19781. We have an HA pair of ADC’s in our DC that at the time were running an unpatched version of 12.1. In February 2020, we updated to build 55.18 which patched our ADC’s against the CVE. When the vulnerability first came out, we were told it only affected those with a public facing management IP. We do not have that, all configurations to the ADC’s are internal. We assumed that we were safe and never gave the CVE another thought, especially once we were patched.
Forward to this past week, we had a NetScaler consultant assist us with updating the certificates on our ADC’s and once complete, he wanted to run the ioc-scanner to see if we had been impacted by that vulnerability. The scan results showed signs of compromise and the consultant recommended we scrub the drives immediately to rebuild. Not so easy in a 24x7 healthcare environment.
We opened a ticket with Citrix Support to get additional information and was asked to upload system files, which we provided. The next day, Citrix Support replied back letting us know that if we feel we had been compromised, to wipe the MPX and reconfigure it from scratch as they do not provide forensics analysis. All we wanted to know, was if our ADC’s had in fact been compromised. We were given an extremely vague reply.
I guess my question is, how could we have been compromised if we did not have an externally facing management IP? How else could a perpetrator have accessed our ADC’s? Wouldn’t they have had to had access to admin credentials to access and run code?
Note we will be wiping our drives and reconfiguring our ADC’s…Im just looking for something more than a link to a url to the CVE and 3rd party scans.
Thanks,
Karl
Forward to this past week, we had a NetScaler consultant assist us with updating the certificates on our ADC’s and once complete, he wanted to run the ioc-scanner to see if we had been impacted by that vulnerability. The scan results showed signs of compromise and the consultant recommended we scrub the drives immediately to rebuild. Not so easy in a 24x7 healthcare environment.
We opened a ticket with Citrix Support to get additional information and was asked to upload system files, which we provided. The next day, Citrix Support replied back letting us know that if we feel we had been compromised, to wipe the MPX and reconfigure it from scratch as they do not provide forensics analysis. All we wanted to know, was if our ADC’s had in fact been compromised. We were given an extremely vague reply.
I guess my question is, how could we have been compromised if we did not have an externally facing management IP? How else could a perpetrator have accessed our ADC’s? Wouldn’t they have had to had access to admin credentials to access and run code?
Note we will be wiping our drives and reconfiguring our ADC’s…Im just looking for something more than a link to a url to the CVE and 3rd party scans.
Thanks,
Karl
ASKER
We have taken in to consideration an insider and have not ruled that out.
Thanks for your comment.
Karl
Thanks for your comment.
Karl
Btw:
"that could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system" --whenever you see this, you act IMMEDIATELY.
Wouldn’t they have had to had access to admin credentials to access and run code?That's why it's a remote vulnerability with such a high alert.
"that could allow an unauthenticated remote attacker to execute arbitrary code on a vulnerable system" --whenever you see this, you act IMMEDIATELY.
ASKER
Correct, Kimputer. I agree with your assessment to act immediately. But, how would they gain unauthenticated remote access...with no outside management IP?
Thanks
Thanks
Is it possible that a malicious actor compromised another computer with external access?
They would then be able to attempt to access other internal resources.
They would then be able to attempt to access other internal resources.
If you're inside the LAN, they can use the inside management IP address (which is just the server IP)
ASKER
Scott & Kimputer, thank you both for your comments.
What I am gleaning, is that, without an externally facing management IP address, the likely hood of a breach is slim to none. Though, if the malicious actor has access to the LAN, through whatever means, they would then be able to run code against a vulnerable ADC just by having access to the ADC's IP address.
Am I correct in that assessment?
Thanks,
Karl
What I am gleaning, is that, without an externally facing management IP address, the likely hood of a breach is slim to none. Though, if the malicious actor has access to the LAN, through whatever means, they would then be able to run code against a vulnerable ADC just by having access to the ADC's IP address.
Am I correct in that assessment?
Thanks,
Karl
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You didn't take into account that someone from the inside (either malicious by connecting a laptop in the LAN environment, or malicious software by a user click) can do the trick as well.