Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 部落格


CVE-2019-19781:Exploit Scripts for Remote Code Execution Vulnerability in Citrix ADC and Gateway Available

Attackers are actively probing for vulnerable Citrix Application Delivery Controller (ADC) and Gateway hosts, while multiple proof-of-concept scripts are released, emphasizing the importance of mitigating this flaw immediately.


On December 17, Citrix published a support article for CVE-2019-19781, a path traversal flaw in Citrix ADC and Citrix Gateway, both of which were formerly known as NetScaler ADC and NetScaler Gateway. Citrix cautioned that successful exploitation could result in an unauthenticated attacker gaining remote code execution. Citrix did not provide a patch for the vulnerability, but instead strongly urged customers to apply mitigation steps to thwart exploitation attempts. In the weeks since, attackers have begun scanning for vulnerable hosts for reconnaissance, with some reports suggesting attackers may have already exploited this vulnerability in the wild.

On January 3, SANS Internet Storm Center (ISC) tweeted that they had observed the “first exploit attempt” for this vulnerability in the wild.

According to Shodan, there are over 125,000 Citrix ADC or Gateway hosts publicly accessible. Nate Warfield from Microsoft’s Security Response Center found that every system he “spot checked” was vulnerable to CVE-2019-19781.


The information Citrix provided in their mitigation steps offers clues into the vulnerable component of ADC and Gateway, referencing requests containing the “/vpns/” path. Because this is a path traversal flaw, identifying a vulnerable ADC or Gateway host requires confirming the presence of files located outside the original path requested.

On January 7, SANS ISC published a blog with more details about attackers scanning their honeypots and attempting to exploit the flaw. In the blog, they reference requests looking for a file called smb.conf in the “/vpns/cfg/” path. Requesting this file from a vulnerable Citrix ADC or Gateway will successfully return a configuration file. Systems that have applied Citrix’s recommended mitigations will return an HTTP 403 FORBIDDEN response.

On January 8, Craig Young, principal security researcher on Tripwire’s Vulnerabilities and Exposures Research Term (VERT), published a blog discussing how he achieved “arbitrary command execution” on a vulnerable ADC host. According to Young, there are Perl scripts located in the “/vpns/” path of the Citrix appliances, which can be targeted to allow for limited file writing on the vulnerable host.

On January 10, Rio Sherri, senior security consultant at MDSec, published a blog with additional insight into the limited file writing, highlighting code in the ‘csd’ function of the UserPrefs perl module that “builds a path from the NSC_USER HTTP header without any sanitisation” and will be triggered by any script that calls the function. Sherri found that nearly “all the scripts used this function,” but highlighted one script in particular, newbm.pl. This file accepts parameterized information and builds it into an array stored in an XML file on the vulnerable host. However, code execution is still not feasible at this point. That’s where the research from Young comes into play. He mentions an undocumented feature in the Perl Template Toolkit that “allowed arbitrary command execution when processing a crafted directive.” Sherri saw this as a “potential avenue for exploitation.” By inserting arbitrary code into the XML file, the only remaining step to get code execution would be to get the template engine to parse the file. Sherri achieved this by issuing a specially crafted HTTP request for the XML file stored on the vulnerable host.

All the security researchers opted not to share specific details about the vulnerability due to the fact that Citrix has not yet released a patch for this vulnerability. However, as of January 10, there are exploit scripts in circulation that can achieve code execution.


Recently, there have been several repositories created on GitHub referencing CVE-2019-19781, including exploit scripts that could lead to code execution by a remote, unauthenticated attacker.


While Citrix has provided detailed mitigation steps, currently, there is no patch available despite the advisory being released nearly a month ago. With the availability of exploit scripts for this vulnerability, users are strongly encouraged to apply these mitigation steps as soon as possible. Additionally, we would recommend reviewing your logs for requests to determine if active scanning or exploitation may have already occurred. These requests may include paths, such as:

  • /vpns/
  • /vpn/../vpns/cfg/smb.conf
  • /vpn/../vpns/portal/scripts/newbm.pl


Tenable Research has released a direct check plugin (ID 132752) to identify vulnerable assets in addition to the our version check plugin (ID 132397), which can be found here. Note that the version check plugin (ID 132397) requires enabling 'paranoid mode'.


加入 Tenable Community 的 Tenable 安全回應團隊

深入瞭解 Tenable,這是用於全面管理新型攻擊破綻的首創 Cyber Exposure 平台。

索取 Tenable.io Vulnerability Management 的 30 天免費試用



輸入您的電子郵件地址,以便收到最新 cyber exposure 警示。



您的 Tenable.io Vulnerability Management 試用版也包含 Tenable Lumin、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

tenable.io 購買

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

65 項資產



免費試用 Nessus Professional

免費試用 7 天

Nessus® 是現今市場上功能最全面的弱點掃描工具。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊合作。

購買 Nessus Professional

Nessus® 是現今市場上功能最全面的弱點掃描工具。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊合作。

購買多年期授權,節省更多。新增 365 天全年無休 24 小時全天候可使用電話、社群及對談的進階支援。






您的 Tenable.io Vulnerability Management 試用版也包含 Tenable Lumin、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

Tenable.io 購買

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

65 項資產



試用 Tenable.io Web Application Scanning

享受我們專為現代應用程式而設計,屬於 Tenable.io 平台一部分的最新 Web 應用程式掃描產品的所有功能。不需耗費大量人力或中斷重要 Web 應用程式,即可高度準確且安全地掃描您整個線上產品系列中是否含有任何弱點。 立即註冊。

您的 Tenable Web Application Scanning 試用版也包含 Tenable.io Vulnerability Management、Tenable Lumin 和 Tenable.cs Cloud Security。

購買 Tenable.io Web Application Scanning

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

5 個 FQDN



試用 Tenable.io Container Security

享受整合至弱點管理平台中的唯一容器安全產品的完整功能。監控容器映像中是否有弱點、惡意軟體及政策違規的情形。與持續整合和持續部署 (CI/CD) 系統整合,以支援 DevOps 作法、加強安全性並支援企業政策合規性。

購買 Tenable.io Container Security

Tenable.io Container Security 整合了建置程序,能提供包含弱點、惡意軟體和政策違規等容器映像安全性的能見度,讓您無縫並安全地啟用 DevOps 流程。

試用 Tenable Lumin

透過 Tenable Lumin,能夠以視覺方式呈現 Cyber Exposure 並加以探索,長期追蹤風險降低狀況,以及對照同業進行指標分析。

您的 Tenable Lumin 試用版也包含 Tenable.io Vulnerability Management、Tenable.io Web Application Scanning 和 Tenable.cs Cloud Security。

購買 Tenable Lumin

聯絡業務代表,瞭解 Lumin 如何協助您獲得整個企業的深入洞見,並管理網路風險。

試用 Tenable.cs


您的 Tenable.cs Cloud Security 試用版也包含 Tenable.io Vulnerability Management、Tenable Lumin 和 Tenable.io Web Application Scanning。

聯絡業務代表購買 Tenable.cs

聯絡業務代表,以深入瞭解 Tenable.cs Cloud Security 如何輕鬆讓您的雲端帳戶上線,以及如何在數分鐘內輕鬆取得雲端錯誤設定與弱點的能見度。

免費試用 Nessus Expert

免費試用 7 天

Nessus Expert 是專為現代攻擊破綻所打造,它能讓您從 IT 到雲端洞察更多資訊,並保護貴公司免於弱點危害。

您已擁有 Nessus Professional 嗎?
升級至 Nessus Expert,免費試用 7 天。

購買 Nessus Expert

Nessus Expert 是專為現代攻擊破綻所打造,它能讓您從 IT 到雲端洞察更多資訊,並保護貴公司免於弱點危害。


促銷價格將延長至 12 月 31 日止。