Comparing Citrix CVE Verification Tool to a one-liner bash script

Last December NIST announced this vulnerability CVE-2019-19781  and soon after that Citrix published this page CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance and released a verification tool supporting clients for finding out if they were vulnerable or not: CVE-2019-19781 – Verification Tool

A verification tool is addressed to an IT specialist who works these solutions and needs to quickly assess if the software or appliance is affected by this vulnerability.

Let me say that Citrix is a market leader and this is not an article that wants to diminish or criticize any of their products in any way. It’s wonderful that the source code is made available by the vendor and you can see and learn what the code is actually doing.

This is a sort of code review and my personal suggestion on how to achieve similar results with no code at all, having in mind that their verification tool just works, but it is making a simple check more complicated that actually is.

Let’s look the source code

And this is the code they provide:

Let’s put on our developer’s hat

I guess the goal was using a popular programming language that could be run on any platform, Python is a perfect candidate for that even if is not installed by default on Windows it’s straightforward to install it via the Windows Store even without admin privileges under the user profile.

I also understand the choice of writing the code using just the standard libraries and not using a friendly library like Requests .  This script is also requires a couple of mandatory arguments an input file for your target hosts and output file for the results of the scan results.

So if you look of what this script does in 110 lines of python code you end up with a wrapper of CURL written in python so it will require 2 dependencies: python and curl installed on the operating system,  needs you to read the help to populate the text file.

Do we have any alternative?

Yes, simply using curl instead.

On every OS is simply required to run (replace <IP_address> with your target server FQDN or IP) :

This oneliner performs the same checks with a little bit fancier user prompt and response (for Linux or macOS or WSL on Windows ):

Why I prefer this approach?

First of all simplicity and practicality.

The reason why I’m re-writing this tool is that curl is a very popular tool that everybody uses or at least should know that exists.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.