Red Team: An Offensive Perspective on CVE-2019-19781

As a follow up to our defensive perspective on trending CVE-2019-19781 incident response cases, our BlackBerry Red Team is now covering this issue from an offensive perspective. Attackers see this as an ideal vulnerability because by design, these types of appliances bridge the victim’s network to the Internet.

Exploitation of this host provides an excellent pivot point that facilitates lateral movement across the target network. In poorly designed environments, these devices may even skip the DMZ and reside inside the internal network—lowering the overall level of effort an attacker needs to exert to achieve their goal:

Figure 1:  One potential (simplified) network architecture

Discovering the Vulnerability

Vulnerability scanners provide a fairly easy method of discovering assets and determining their associated vulnerabilities—even if unfamiliar with the network. For example, Tenable’s Nessus Vulnerability Scanner has four plugins capable of performing checks for this particular vulnerability using different methods such as SNMP, local checks, and web checks.

If being more selective, you can select a single plugin to check for the vulnerability or use a dedicated auxiliary module within the Metasploit framework, as shown here:

Figure 2:  Searching Metasploit for the CVE-2019-19781 scanner

Exploiting the Vulnerability

After confirming the existence of the vulnerability, from an attacker’s perspective, it is time to exploit it. Early on, exploiting this vulnerability was more of a manual process; however, with the explosion of publicly available code, it is now well beyond the point of weaponization and automation. In fact, one easy method of exploitation is included in the freely available Metasploit Framework and provides a number of payload options, as shown in the screenshot below:

Figure 3:  Metasploit payloads that can be deployed via the citrix_dir_traversal_rce exploit

Post Exploitation Possibilities

The attacker’s goal will largely drive the payload decision. However, in the majority of instances, a persistence mechanism is established along with an instrument for conducting lateral movement. In one of our Red Team engagements, we were able to pull the /flash/nsconfig/ns.conf file from the affected device, which contained domain credentials—making lateral movement trivial. This, combined with the network information from the appliance, provides an attacker a path to spread and achieve their goals. Once moving throughout the network, they are free to deploy ransomware or steal sensitive information.

Conclusion

Due to the uptick in Incident Response inbounds resulting from the CVE-2019-19781 exploit, we hope that covering both the attacker and defender’s perspective spurs organizations to take a second look at their environment. If you have not put on your black hat, it might be time. A little effort spent looking for these vulnerabilities and signs of compromise will pay dividends down the road.