This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Netscaler CVE-2019-19781

FrancWest over 4 years ago

Hi,

is the IPS of UTM 9.7 able to detect attacks based on CVE-2019-19781 and block them?

Frank.

This thread was automatically locked due to age.

0 Jaydeep over 4 years ago

Hi FrancWest

This is mainly identified by doing a scan on ports: 443, 2083, 2087, & 8443/tcp so if you have a DNAT pointing to your Citrix (NetScaler) Gateway servers, it might impact. The normal scanning will definitely get identified by IPS.

But talking about specific to CVE-2019-19781, I don't have any official information yet. I'll post it as soon as I have something on it.

Regards

Jaydeep
Cancel
Vote Up 0 Vote Down

Cancel
0 Alexander Busch over 4 years ago

As UTM uses Snort, it could be. They have updated their rules since Dec. 24th, as stated here
https://blog.talosintelligence.com/2020/01/snort-rules-cve-2019-19781.html

Best regards

Alex

-
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 4 years ago

Until last Monday they don't protect!

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 JoergRiether over 4 years ago in reply to Alexander Busch

That is Talos commercial ruleset afaik. Sophos might have not updated snort rules. I am waiting for some confirmation here. Check out: https://community.sophos.com/products/unified-threat-management/f/network-protection-firewall-nat-qos-ips/42099/sophos-utm-ips-rules
Cancel
Vote Up 0 Vote Down

Cancel
0 Alexander Busch over 4 years ago in reply to JoergRiether

Thank for clarification. I was hoping Sophos is using a commercial ruleset too. Best case near up to date like other vendors. The information release from Sophos side is not very good in these cases. Every now and then such a security problem appears. And always the community is asking and the answer isn’t popping up instantly. Is that really only a long way of communication or do they test after the question has appeared. I hope it’s the communication.

Best regards

Alex

-
Cancel
Vote Up 0 Vote Down

Cancel
0 JoergRiether over 4 years ago in reply to Alexander Busch

Alexander Busch said:

I was hoping Sophos is using a commercial ruleset too.

maybe they do. but I don't know this and this would be an important information.

Best regards

Joerg
Cancel
Vote Up 0 Vote Down

Cancel
0 Alexander Busch over 4 years ago in reply to dirkkotte

dirkkotte said:

Until last Monday they don't protect!

Could you name the source of that?

-
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 4 years ago in reply to Alexander Busch

Infected NetScaler behind IPS activated SG.

No IPS Rule matches within IPS-log(s).

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 4 years ago in reply to dirkkotte

The Up2Date log indicates that the Snort rule set was updated on 12/30, 01/13 and today, just 2 hours ago.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
+1 Jaydeep over 4 years ago

Hi FrancWest

Sophos UTM does protection against CVE-2019-19781 with the latest pattern update in IPS. Please refer to this link: https://lists.astaro.com/ASGV9-IPS-rules.html and the pattern update SID 52512.

Regards

Jaydeep
Cancel
Vote Up 0 Vote Down

Cancel