On Dec. 17, 2019, a directory traversal vulnerability was announced in the Citrix Application Discovery Controller and Citrix Gateway, which would allow a remote, unauthenticated user to write a file to a location on disk. Affected products include:
Citrix ADC and Citrix Gateway version 13.0 all supported builds
Citrix ADC and NetScaler Gateway version 12.1 all supported builds
Citrix ADC and NetScaler Gateway version 12.0 all supported builds
Citrix ADC and NetScaler Gateway version 11.1 all supported builds
Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds
According to security researchers who have done in-depth analysis of the vulnerability, it initially appeared that the impact of this vuln was limited due to the specific file extension (.xml) that could be written to disk. However, upon digging deeper, researchers found that, when combined with the Perl Templating Toolkit, this vulnerability would allow for remote code execution on the host. The Perl Templating Toolkit is a template subsystem for perl, similar to other templating libraries in other languages, that allows for inline code to be embedded in documents to make runtime-generated content easier to manage. For additional technical details, see in-depth analyses here and here.
Rapid7 has deployed several items to help detect the presence of this issue in your environment:
A remote check for InsightVM customers.
An update to our Threat Intel Dashboard in InsightVM to enable customers to quickly identify which assets in their environment are affected, along with the relevant contextual information on exploitability, which we outline in more depth below.
An active exploitation citrix netscaler 19781
: What You Need to Know){kind=link}