Detecting Citrix CVE-2019-19781 with OWASP Nettacker

This article was originally published on Medium: https://medium.com/@securestep9/detecting-citrix-cve-2019-19781-with-owasp-nettacker-c460c5912c77

Citrix CVE-2019-19781 vulnerability is the current hot topic in Information Security circles this week, as exploits for this vulnerability are now publicly available and may allow unauthenticated attackers to obtain direct access your company local network from the Internet. Citrix NetScaler ADC and Gateway products are vulnerable.

According to cybersecurity expert Kevin Beaumont (aka GossiTheDog on Twitter) who runs a network of Citrix ADC honeypots the active exploitation of CVE-2019-19781 started on January 8th, 2020:


According to various estimates 40,000–80,000 organisations worldwide might be affected and vulnerable! Which means that hackers might be able to sneak in to your corporate network through the devices which are supposed to be the gatekeepers into your network! Not good.

2020-08-24_12-36-01

Citrix have released the mitigation, which is effectively a policy which detects and blocks the attempts to exploit the attack, however there is no proper patch released yet (as of 10th January 2020) which would fix the underlying problem in the software code.

I strongly advise all organisations with NetScaler/ADC to apply the Citrix mitigation immediately to avoid compromise — the steps to mitigate the vulnerability are documented in the following Citrix Support Article :

https://support.citrix.com/article/CTX267027

However, in order to patch/apply mitigation to your vulnerable Citrix devices you need to be able to find them first!

IT Asset inventory is a big problem in information security/cyber security as it is the devices/services/servers you don’t know about which pose the biggest risk.

OWASP Nettacker project can help you address the task of scanning multiple devices for this vulnerability as well as the task of finding the vulnerable devices in your network.

What is OWASP Nettacker? Just like all OWASP Projects OWASP Nettacker is an Open Source project and tool. OWASP Nettacker in a nutshell is a Swiss Army Knife for Reconnaissance & Vulnerability Scanning — it is a relatively new OWASP tool written in Python consisting of multiple modules (63 modules at the time of writing) which can be used from the single command line (use one or a combination of modules) against a target or a list of targets to perform an information gathering scan or a vulnerability detection scan.

Last night I added a new vulnerability detection module to OWASP Nettacker: citrix_cve_2019_19781_vuln making it the 63rd tool in this framework.

I usually run OWASP Nettacker on my KALI Linux VM, but because OWASP Nettacker is written in Python it can be run on any Linux/Mac/Windows system— provided you have Python2 or Python3 installed.

You can install OWASP Nettacker by doing a ‘git clone https://github.com/zdresearch/OWASP-Nettacker’ from GitHub and installing the Python dependencies using a single command like this:

class=“mention” href="/tags/git" data-type=“Tag” data-id=“TMLH8gEnq2rpQcJkH” title="#git (search)">git clone href=“https://github.com/zdresearch/OWASP-Nettacker.git” target="_blank" rel=“noopener”> href=“https://github.com/zdresearch/OWASP-Nettacker.git” target="_blank" rel=“noopener”>https://github.com/zdresearch/OWASP-Nettacker.git && cd OWASP-Nettacker && pip install -r requirements.txt && python setup.py install</a
If you hit any issues please check the Installation section in the OWASP Nettacker Wiki here:

Once OWASP Nettacker is installed change directory to OWASP-Nettacker:

cd OWASP-Nettacker
Now you can run the tool using Python specifying that you need the module citrix_cve_2019_19781_vuln in -m command line switch and your target (IP/IP range/FQDN) in -i like this:

python nettacker.py -i -m citrix_cve_2019_19781_vuln
to scan a single IP address (xxx.xxx.xxx.xxx):

python nettacker.py -i xxx.xxx.xxx.xxx -m citrix_cve_2019_19781_vuln
However if you don’t know how many Citrix devices you have and their precise IP addresses you can use OWASP Nettacker to scan a whole IP range (e.g. xxx.xxx.xxx.xxx/24):

python nettacker.py -i xxx.xxx.xxx.xxx/24 -m citrix_cve_2019_19781_vuln
If you don’t know the IP address ranges of your network but do know that Citrix devices have subdomains (e.g. remote.mycompany.com, vpn.mycompany.com, access.mycompany.com etc) you can ask Nettacker to enumerate subdomains and test them for Citrix vulnerability like this (please note the -s command like switch which instructs Nettacker to discover the subdomains of the domain name listed in the -i ):

python nettacker.py -i mycompany.com -s -m citrix_cve_2019_19781_vuln
If you have the list of IPs/FQDNs of your Citrix devices saved in a file called list.txt (one line per IP or FQDN) you can scan all the devices in your list using the -l command line switch:

python nettacker.py -l list.txt -m citrix_cve_2019_19781_vul
If you would like to save the OWASP Nettacker report in class=“mention” href="/tags/json" data-type=“Tag” data-id=“8DfYim7CuQmuXYHqJ” title="#JSON (search)">JSON class=“mention” href="/tags/format" data-type=“Tag” data-id=“pr69wf4F3Et3YsaFE” title="#format (search)">format instead of the default class=“mention” href="/tags/html" data-type=“Tag” data-id=“PMyvn4NA9e5ve4MH5” title="#html (search)">HTML format you can specify the report output filename using the -o command line switch (-o filename.json) for example
python nettacker.py -i xxx.xxx.xxx.xxx/24 -m citrix_cve_2019_19781_vuln -o report.json
In this article I demonstrated how to use only one OWASP Nettacker module for finding one vulnerability. OWASP Nettacker includes 62 more modules for helping you to find vulnerable systems in your network.

You can find our more about OWASP Nettacker here: https://www.owasp.org/index.php/OWASP_Nettacker

The full OWASP Nettacker documentation can be found on Wiki: