Attention to vulnerability of Citrix NetScaler(CVE-2019-19781)
Thank you for using NTT Communications Enterprise Cloud service.
The vulnerability(CVE-2019-19781) of Citrix NetScaler which is provided as Enterprise Cloud 2.0 (hereafter called ECL2.0) Load Balancer menu is reported. This could allow an attacker to perform arbitrary code execution. If customers are using Load Balancer (NetScaler VPX), please collect the latest information on vulnerability and take countermeasures against it appropriately if necessary.
1.Please check whether access to the management interface (SNIP) is permitted only from a secure network.
If necessary, we recommend to disable administrative access with unnecessary management interfaces (1) and restrict source IP addresses to necessary management interface (2). Please note that customer can not access NetScaler if customer disable management access with all management interfaces.
1-1.Disable management access to the management interface (SNIP)
* Communication towards VIP which accepts the client request and transfer it to the backend servers is excluded.
* Configure NetScaler from a secure environment such as the internal network.
1-2.Restrict management access to the management interface (SNIP)
2. In addition to the above, if you are using Citrix (formerly NetScaler) Gateway, please execute the following command via CLI to create the responder action and policy.
* How to access the CLI is described below.
enable ns feature responder
add responder action respondwith403 respondwith “\”HTTP/1.1 403 Forbidden\r\n\r\n\””
add responder policy ctx267027 “HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\”/vpns/\”) && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\”/../\”))” respondwith403
bind responder global ctx267027 1 END -type REQ_OVERRIDE