Citrix CVE-2019-19781. What to do?

Event

On December 17 2019 Citrix released security bulletin CTX267027: A vulnerability in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, that could lead to arbitrary code execution.

I have some Citrix ADC in my Lab and I often rebuilt it.

In fact, I am in the worst case scenario: No backup, No Snapshot.

However I am somewhat lucky because it’s VPX and not MPX.

So in this case what can be done?

We discussed with fellow CTPs on the methodology to retrieve a normal operation in this case and here after are the steps we thought about:

  1. Take a snapshot of the potentially affected installation for forensic analysis and further investigation if there was any data exfiltration
  2. Disable firewall rules to disable access to ADC from the internet
  3. Implement Mitigation steps following instructions in this post: https://support.citrix.com/article/CTX267679
  4. Validate the Mitigation steps: https://github.com/j81blog/ADC-19781
  5. Save ns.conf following instructions in this post https://support.citrix.com/article/CTX222891
  6. Save License file(s) (to keep the same MAC address unless you want to relicense the VPX)
    • License file(s) on ADC are stored in nsconfig/license directory with .lic extension 
  7. Save Certificates and keys
    • Retrieve certificates and keys file from the ADC and place in a local directory. All the certificate and key files are in nsconfig/ssl directory.
      Certificates from NetScaler can be obtained by use of WinScp
  8. Spin Up a new instance
  9. Provide initial Network configuration (as same as “old” ADC(s))6
    • NSIP
    • Mask
    • Gateway
  10. Restore ns.conf
    • Use WinSCP to restore ns.conf file in nsconfig directory
  11. Restore Licenses
    • Use WinSCP to copy license file(s) in nsconfig/license directory
  12. Restore Certificates and keys
    • Restore certificates and keys using WinScp in the nsconfig/ssl directory.
  13. Change password for all local account following instructions in this post: https://support.citrix.com/article/CTX224027
  14. Change password for all Service Account defined on the ADC
  15. Create new RSA Key
  16. Request new Certificates
  17. Install new Certificates https://docs.citrix.com/en-us/citrix-adc/13/ssl/how-to-articles/create-and-use-ssl-certificates-on-a-citrix-adc-appliance.html
  18. Revoke Certificates and uninstall on ADC
  19. Enable Firewall rules previously Disabled
  20. Validate external access

I am currently working on detailed steps for a next article, it will be above steps but with more details and screenshots.