Citrix NetScaler zero-day exploited in the wild, patch is available (CVE-2023-3519)
Citrix has patched three vulnerabilities (CVE-2023-3519, CVE-2023-3466, CVE-2023-3467) in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway), one of which is a zero-day being exploited by attackers.
A zero-day patched (CVE-2023-3519)
CVE-2023-3519 is a remote code execution (RCE) vulnerability that could allow an unauthenticated threat actor to execute arbitrary code on a vulnerable server. At this time there is no public PoC, but the vulnerability has been observed being exploited in the wild.
Citrix has noted that the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server to be vulnerable.
CVE-2023-3466 is a reflected XXS vulnerability that can be exploited if the victim accesses an attacker-controlled link in the browser while being on a network with connectivity to the NSIP.
CVE-2023-3467 could allow a threat actor to elevate privileges to root administrator (nsroot). Authenticated access to NSIP or SNIP with management interface access is required to leverage this vulnerability.
The vulnerabilities have been reported to the company by Wouter Rijkbost and Jören Guerts of Resillion.
Remediation
Citrix appliances have been a popular target for cybercriminals.
In early 2022, the company reported the exploitation of a RCE vulnerability (CVE-2022-27518) in its Citrix ADC deployments by a Chinese state-sponsored group. Earlier this year, ransomware threat actors also exploited an auth bypass flaw (CVE-2022-27510) on Citrix ADC and Gateway.
The company noted that the following supported versions of NetScaler ADC and NetScaler Gateway are affected by the three patched vulnerabilities:
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
Fixes have been provided for all these versions including the later releases.
NetScaler ADC and NetScaler Gateway version 12.1 have reached end-of-life, meaning they are now vulnerable and should be updated to a supported version as soon as possible.
“This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action,” Citrix added.
There is a document containing indicators of compromise and “mentioning a PHP webshell, a SetUID binary and an IP” that enterprise admins can use to check whether their Citrix systems have been compromised, but it has yet to be made publicly available.
UPDATE (July 19, 2023, 12:20 p.m. ET):
An unofficial guide for investigating whether your Citrix Netscaler installations have been compromised via CVE-2023-3519 has been made public.
UPDATE (July 21, 2023, 07:15 a.m. ET):
The exploitation of the Citrix NetScaler ADC zero-day vulnerability (CVE-2023-3519) was first spotted by a critical infrastructure organization, who reported it to the Cybersecurity and Infrastructure Security Agency (CISA).