On December 17 2019 Citrix released security bulletin CTX267027: A vulnerability in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, that could lead to arbitrary code execution.
I have some Citrix ADC in my Lab and I often rebuilt it.
In fact, I am in the worst case scenario: No backup, No Snapshot.
However I am somewhat lucky because it’s VPX and not MPX.
So in this case what can be done?
We discussed with fellow CTPs on the methodology to retrieve a normal operation in this case and here after are the steps we thought about:
- Take a snapshot of the potentially affected installation for forensic analysis and further investigation if there was any data exfiltration
- Disable firewall rules to disable access to ADC from the internet
- Implement Mitigation steps following instructions in this post: https://support.citrix.com/article/CTX267679
- Validate the Mitigation steps: https://github.com/j81blog/ADC-19781
- Save ns.conf following instructions in this post https://support.citrix.com/article/CTX222891
- Save License file(s) (to keep the same MAC address unless you want to relicense the VPX)
- License file(s) on ADC are stored in nsconfig/license directory with .lic extension
- Save Certificates and keys
- Retrieve certificates and keys file from the ADC and place in a local directory. All the certificate and key files are in nsconfig/ssl directory.
Certificates from NetScaler can be obtained by use of WinScp
- Retrieve certificates and keys file from the ADC and place in a local directory. All the certificate and key files are in nsconfig/ssl directory.
- Spin Up a new instance
- Provide initial Network configuration (as same as “old” ADC(s))6
- NSIP
- Mask
- Gateway
- Restore ns.conf
- Use WinSCP to restore ns.conf file in nsconfig directory
- Restore Licenses
- Use WinSCP to copy license file(s) in nsconfig/license directory
- Restore Certificates and keys
- Restore certificates and keys using WinScp in the nsconfig/ssl directory.
- Change password for all local account following instructions in this post: https://support.citrix.com/article/CTX224027
- Change password for all Service Account defined on the ADC
- Create new RSA Key
- Request new Certificates
- Install new Certificates https://docs.citrix.com/en-us/citrix-adc/13/ssl/how-to-articles/create-and-use-ssl-certificates-on-a-citrix-adc-appliance.html
- Revoke Certificates and uninstall on ADC
- Enable Firewall rules previously Disabled
- Validate external access
I am currently working on detailed steps for a next article, it will be above steps but with more details and screenshots.