#citrixadc

Patrick Terlistenpterlisten@social.cologne
2024-11-13

#Citrix has fixed two critical security vulnerbilities in #CitrixADC and Gateway.

support.citrix.com/s/article/C

Check your ns.conf for the following configuration settings. If they are set, you should update immediately.

enable ns feature.*rdpproxy
add rdp serverprofile <RDP_server_name>
add vpn vserver <vserver_name> -rdpServerProfileName <RDP_server_name>
enable ns feature.*rdpproxy
add authentication vserver
add vpn vserver

2024-04-22

A critical vulnerability, known as CVE-2024-3902, has been discovered in Citrix's uberAgent monitoring tool. This flaw could potentially allow attackers to increase their access rights within the system. The vulnerability is rated highly severe with a CVSS score of 7.3, indicating its serious impact.

The issue stems from incorrect settings in the uberAgent software, which can be exploited to elevate user permissions. It specifically affects certain versions of Citrix uberAgent. To mitigate the risk, Citrix has recommended immediate actions such as disabling all CitrixADC metrics by removing specific timer properties and ensuring that WmiProvider is not configured or set to WMIC for versions 7.0 to 7.1.1.

Citrix strongly advises all affected customers to upgrade to uberAgent version 7.1.2 or later, which contains a fix for the vulnerability and offers enhanced security features. These updates can be obtained from the official uberAgent website.

support.citrix.com/article/CTX

#cybersecurity #citrix #vulnerability #uberagent #cve #citrixadc #vmic #update

2023-10-10

Creating a download for a patch is to far fetched #citrix #CitrixADC

🛡 H3lium@infosec.exchange/:~# :blinking_cursor:​H3liumb0y@infosec.exchange
2023-07-21

Found a guide for NetScaler (Citrix ADC) CVE-2023-3519 that explains how to validate and check for (currently) known Indicators of Compromise (IoCs) on a local CITRIX device.

The full guide including the commands, can be found here: [Checklist for Citrix ADC CVE-2023-3519](deyda.net/index.php/en/2023/07)

Please bear in mind that this is a guide "found on the internet". Although it appears to be reliable and it was mentioned by SANS stormcast, these devices are not my specific area of expertise. Use your brain and use at your own risk...

Here are some key points from the article:

1. **Log in with nsroot or another administrative account.**

2. **Find out the time of the last update.** - This command lists the details of the files in the /var/nsinstall directory, which can help determine when the last update occurred.
```
shell ls -ll /var/nsinstall
```

3. **Check whether certain files have been adjusted since the last update.** - These commands find and list files in specified directories that have been modified since the last update.
```
shell
find /netscaler/ns_gui/ -type f -name *.php -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/vpn/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/netscaler/logon/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
find /var/python/ -type f -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
```

4. **Check for HTTP error log files.** - These commands search for .sh and .php entries in the HTTP error log files.
```
zgrep '\.sh' /var/log/httperror.log*
zgrep '\.php' /var/log/httperror.log*
```

5. **Check for Shell log files.** - This command searches for entries related to '/flash/nsconfig/keys' in the shell log files.
```
grep '/flash/nsconfig/keys' /var/log/sh.log*
```

6. **Check log files for known IOCs.** - This command finds and lists files with root permissions that have been modified since the last update.
```
find /var -perm -4000 -user root -not -path "/var/nslog/*" -newermt {Timestamp of Installer Files +1} -exec ls -l {} \;
```

7. **Check for Nobody processes.** - This command lists processes running under the 'nobody' user that are not associated with '/bin/httpd'.
```
shell ps aux | grep nobody | grep -v '/bin/httpd'
```


#NetScaler #CitrixADC #CVE20233519 #SecurityGuide #IndicatorsOfCompromise #IoCs #InfoSec #CyberSecurity #VulnerabilityManagement #SecurityInvestigation #SysAdminTips #NetworkSecurity #CyberThreats #ITSecurity #OnlineSecurity #CyberAware #TechSafety #SecureNetworking #VulnerabilityScanning #InfoSecAwareness

deltatux :donor:deltatux@infosec.town
2023-07-21
2023-07-19

[CVE-2023-3519] Did you know you can use #UAC to triage #NetScaler #CitrixGateway #CitrixADC devices?

Get it here: github.com/tclahr/uac

#DFIR #infosec #cybersecurity #zeroday #RCE #Citrix

deltatux :donor:deltatux@infosec.town
2023-07-18

#Citrix has disclosed multiple vulnerabilities in their #CitrixADC & #CitrixGateway products. Successful exploitation of these vulnerabilities will allow attackers gain root access & perform remote code execution.

These vulnerabilities have a
#CVSS score ranging from 8 to 9.8 out of 10.

Organizations with these Citrix products are advised to
#patch immediately.

#infosec #cybersecurity #PatchManagement #VulnerabilityManagement #RCE

https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

heise onlineheiseonline
2023-01-02

Jetzt patchen! Tausende Citrix-Server sind noch verwundbar

Angreifer nutzen derzeit kritische Lücken in Citrix ADC und Gateway aus. Trotz verfügbarer Sicherheitspatches sind viele Instanzen noch nicht gepatcht.

heise.de/news/Jetzt-patchen-Ta

Taste mit Beschriftung "Update"
2022-12-13

An unauthenticated remote code execution flaw (CVE-2022-27518) is being leveraged by a APT5 to compromise Citrix ADC deployments.

helpnetsecurity.com/2022/12/13

@RGB_Lights #Citrix #CitrixADC #APT #IoC #ThreatHunting #0day #Cybersecurity #Infosec

heise online (inoffiziell)heiseonline@squeet.me
2022-11-09
Citrix schließt Sicherheitslücken, durch die Angreifer etwa unberechtigt auf die Gerätefunktionen zugreifen können. Administratoren sollten zügig aktualisieren.
Citrix Gateway und ADC: Kritische Lücke ermöglicht unbefugten Zugriff
heise online (inoffiziell)heiseonline@squeet.me
2022-05-27
Es gibt wichtige Sicherheitspatches für Citritx ADC und Citrix Gateway. Angreifer könnten die Netzwerk-Hardware lahmlegen.
Sicherheitsupdates: Angreifer könnten Netzwerk-Hardware von Citrix lahmlegen
heise online (inoffiziell)heiseonline@squeet.me
2020-09-22
Angreifer könnten verschiedene Citrix-Produkte attackieren und im schlimmsten Fall eigene Befehle ausführen.
Sicherheitsupdates: Gefährliche Lücken bedrohen Citrix ADC, Gateway und SD-WAN
2020-01-21

Citrix Accelerates Patch Rollout For Critical RCE Flaw - Citrix has issued the first of several updates fixing a critical vulnerability in various versions... more: threatpost.com/citrix-patch-ro #remotecodeexecution #vulnerabilities #cve-2019-19781 #citrixgateway #unpatchedflaw #vulnerability #exploitcode #pocexploit #citrixadc #shitrix #citrix #hacks

CIRCL - Old accountcircl@mastodon.opencloud.lu
2020-01-14

We recorded a quick walk through of the #CitrixADC code showing how #Citrix messed up and why the exploit works. #cve201919781 #iperl #codinglikeitsthe90s #IRisfun #OWASPTOP10
youtu.be/msslpqyf98c  (first tweet had the url missing)

2020-01-13

Unpatched Citrix Flaw Now Has PoC Exploits - Over 25,000 servers globally are vulnerable to the critical Citrix remote code execution vulnerabi... more: threatpost.com/unpatched-citri #remotecodeexecution #vulnerabilities #cve-2019-19781 #citrixgateway #unpatchedflaw #vulnerability #exploitcode #pocexploit #citrixadc #shitrix #citrix

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst