Critical Citrix ADC Remote Code Execution Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on Citrix ADC RCE vulnerability tracked as CVE-2019-19781, rated as critical with a CVSS score of 9.8

Updated on

April 19, 2023

Published on

September 30, 2020

Read MINUTES

Subscribe to the latest industry news, threats and resources.

Table of Contents

This is also a heading
This is a heading

Citrix ADC (formerly known as NetScaler ADC) family of gateways use NetScaler Packet Processing Engine (NSPPE) to deliver incoming HTTPS requests to concerned services (like HTTP server) running in a network. Services running on Citrix ADC/ NetScaler configuration have vulnerable Perl script handlers that can be exploited using Perl Template Toolkit to obtain RCE. This Template Toolkit is a subsystem for Perl. It is quite similar to other templating libraries in other languages. This allows for inline code to be embedded in documents to make runtime-generated content easier to manage. NetScaler Packet Processing Engine (NSPPE) contains a bug in the process of parsing file paths in the requests, enabling the attacker to access any file the target service has rights to access to. It further grants access to the vulnerable Perl script handler. This then allows the attacker to craft malicious requests to trigger RCE. The complete exploit chain requires two HTTPS requests to achieve command execution. The first request establishes the crafted template, and the second invokes the command when the template is processed.[/vc_wp_text][vc_wp_text]

Impact Analysis

Technical

RCE enables the attacker to gain complete control of the target server.
Compromised system can be used to further the attack deep into the internal network.
Ransomware gangs heavily rely on CVE-2019-19781 to compromise organizations
APT groups use CVE-2019-19781 in their exploit kits

Business

SMBs (Small Medium Businesses) fall prey to data breaches and ransomware attacks caused by fragile cyber security measures.
Ransomware gangs targeting businesses make use of VPN exploits to gain a foothold in the network.
A breach or an attack will trim the operations of a company due to the containment process done as a part of incident response measures.
Companies cannot simply afford a data loss, since everything is tied to data nowadays.
Loss of reputation and goodwill are the aftermath of a cyber attack
Offensive cyber operations now have the ability to influence the value of stocks, shares or equities of a company.

Mitigation

Installing the patch released by the vendor addresses the flaw:

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Table of Contents

This is also a heading
This is a heading

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action

November 15, 2023

CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks

November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.

Schedule a Demo

Real time Threat Intelligence Data

More information and context about Underground Chatter

On-Demand Research Services

Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.

Trusted by 400+ Top organisations

Get started

Learn more