Skip to content

Latest commit

 

History

History
80 lines (60 loc) · 5.3 KB

FAQ.md

File metadata and controls

80 lines (60 loc) · 5.3 KB

Frequently Asked Questions

(Please check the latest version of this FAQ here)

In December, 2019, Citrix advised customers of a discovered vulnerability in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. Citrix issued CVE-2019-19781 and issued a mitigation address the vulnerability pending release of a patch. On January 19, 2020, Citrix began issuing patches for the identified vulnerability and have updated the CVE accordingly.

Citrix has partnered with FireEye Mandiant to develop a tool that leverages their knowledge of recent attacks against CVE-2019-19781 to help organizations identify potential compromises. The tool utilizes Citrix's technical knowledge of the Citrix ADC and Gateway products and CVE-2019-19781 combined Mandiant’s expertise in cyber forensics and recent learnings from CVE-2019-19781. You can find the tool and instructions here.

The FAQ below provides further information about the tool.

What is the purpose of this tool?

This tool looks for known indicators of compromise on Citrix ADC, Gateway, and SD-WAN WANOP devices related to CVE-2019-19781. As with every forensics tool, the tool cannot guarantee completeness of all possible Indicators of Compromise but it will aim to detect Indicators of Compromise known to Citrix and FireEye.

What versions of ADC/Gateway/SD-WAN WANOP are supported?

The tool supports ADC/Gateway on all models of MPX and VPX with versions - 10.5, 11.1, 12.0, 12.1 and 13.0 as well as SD-WAN WANOP models - 4000, 4100, 5000, and 5100

Does this tool need to be run on a live appliance?

This tool can be run on live devices and also on a support bundle of the appliance offline.

How do I run the tool/utility?

First, download the tool from the Release tab of this repository.

On a live device:

  1. Using WinSCP or SSH, copy the tool to a writable directory on the device, such as /tmp or /var.
  2. Execute the tool using a command like: bash ioc-scanner-CVE-2019-19781-1.0.sh --verbose &> /tmp/output.txt. You can specify any name for the output file (above: /tmp/output.txt). The flag --verbose enables Verbose Mode that identifies additional activity such as scanning and failed exploitation. This mode may return results that don't directly indicate compromise; however, they provide more detail for consideration.
  3. Export the output file using WinSCP or SSH.
  4. Review the output file for evidence of compromise. You should look for terms like MATCH that surround high confidence findings.

Against a mounted forensic image:

  1. Execute the tool using a command like: bash ioc-scanner-CVE-2019-19781-v1.1.sh /path/to/image/root/ --verbose &> /tmp/output.txt.
  2. Review the output file for evidence of compromise. You should look for terms like MATCH that surround high confidence findings.

How long does this tool take to complete the process?

The tool takes generally 2-3 seconds to complete the process and provide the output file. If the log files are very large, the process may take longer.

Is there any impact of running this tool on an appliance which is live and handling traffic?

This tool utilizes the management CPU cycles and the impact is expected to be minimal.

What if the utility reports that the appliance is compromised?

Customers may to engage Mandiant or other forensic analysts for additional help with forensics. Mandiant FireEye may be reached in the following ways:

  1. Call the toll-free number at (866) 962-6342 or +1 703-996-3012
  2. Email [email protected]

Alternatively, the customer may engage any other security firms for forensic analysis.

If the tool does not report any instance of exploitation, does it mean that the appliance is safe?

No. The tool searches for known indicators of compromise and cannot find all indicators. Also, the tool may not be able to detect some compromises, for example, where an attacker has modified logs.

How do I image a NetScaler device?

To collect an image of a live NetScaler file system use the disk imaging tool dd over ssh to copy the partitions associated with the mount points:

  1. / (root)
  2. /flash
  3. /var An example script for imaging a remote NetScaler device is included in this repository: util/get_image_from_remote.sh.

How do I mount the image .gz files?

Decompress the .gz files using gunzip, for example:

gunzip -q root_md0.img.gz

To mount the resulting image files follow the How to guide by Hal Pomeranz on mounting a FreeBSD forensic image.

Note: When running gunzip disregard errors about "trailing garbage"; a spurious "Done." may be present at the tail of the .gz file, causing gunzip to complain.