News

Attention to vulnerability of Citrix NetScaler(CVE-2019-19781)


Thank you for using NTT Communications Enterprise Cloud service.

The vulnerability(CVE-2019-19781) of Citrix NetScaler which is provided as Enterprise Cloud 2.0 (hereafter called ECL2.0) Load Balancer menu is reported. This could allow an attacker to perform arbitrary code execution. If customers are using Load Balancer (NetScaler VPX), please collect the latest information on vulnerability and take countermeasures against it appropriately if necessary.

 

Vulnerability information

https://support.citrix.com/article/CTX267027

Affected Version

Citrix_NetScaler_VPX_12.1-52.15_Standard_Edition

Citrix_NetScaler_VPX_12.0-53.13_Standard_Edition

Citrix_NetScaler_VPX_11.0-67.12_Standard_Edition

Citrix_NetScaler_VPX_10.5-57.7_Standard_Edition

Countermeasure

1.Please check whether access to the management interface (SNIP) is permitted only from a secure network.

If necessary, we recommend to disable administrative access with unnecessary management interfaces (1) and restrict source IP addresses to necessary management interface (2). Please note that customer can not access NetScaler if customer disable management access with all management interfaces.

1-1.Disable management access to the management interface (SNIP)
* Communication towards VIP which accepts the client request and transfer it to the backend servers is excluded.

* Configure NetScaler from a secure environment such as the internal network.
https://ecl.ntt.com/en/files/loadbalancer/20170927/citrix-netscaler-vulnerability-disable-mgmt-en.pdf

1-2.Restrict management access to the management interface (SNIP)
https://ecl.ntt.com/en/files/loadbalancer/20170927/citrix-netscaler-vulnerability-acl-en.pdf

 

2. In addition to the above, if you are using Citrix (formerly NetScaler) Gateway, please execute the following command via CLI to create the responder action and policy.

* How to access the CLI is described below.

https://ecl.ntt.com/en/documents/tutorials/rsts/LoadBalancer/netscaler-vpx/login.html#access-to-netscaler-vpx-cli-ssh

=========

enable ns feature responder

add responder action respondwith403 respondwith “\”HTTP/1.1 403 Forbidden\r\n\r\n\””

add responder policy ctx267027 “HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\”/vpns/\”) && (!CLIENT.SSLVPN.IS_SSLVPN || HTTP.REQ.URL.DECODE_USING_TEXT_MODE.CONTAINS(\”/../\”))” respondwith403

bind responder global ctx267027 1 END -type REQ_OVERRIDE

save config

========