Exploited Critical Vulnerabilities Identified in Citrix NetScaler ADC and Gateway Products

Citrix is reporting a critical-severity vulnerability, known as in two of its products: NetScaler ADC and NetScaler Gateway.

This particular vulnerability has already been exploited in real-world attacks. Citrix has promptly released updated versions of these products to address the issue, urging all customers to take immediate action and install the updates as soon as possible.

The patch addresses three vulnerabilities

• CVE-2023-3519, (CVSS score 9.8 out of 10) - critical vulnerability, exploited by hackersExploiting this vulnerability allows an attacker to execute code remotely without authentication. To exploit this security issue, the vulnerable appliance must be configured as a gateway or an authentication virtual server.
• CVE-2023-3466 (CVSS score 8.3 out of 10) - reflected cross-site scripting (XSS) issue that can be exploited if a victim loads a link from an attacker in their browser.
• CVE-2023-3467 (CVSS score 8 out of 10) - allows an attacker to elevate privileges to those of a root administrator (nsroot) with authenticated access to the NetScaler appliances’ IP address.

A exploit chaining between CVE-2023-3519 and CVE-2023-3467 is an obvious takover path for hackers to take full control over the Citrix products.

To mitigate the risk of exploitation, Citrix advises users to ensure that their vulnerable appliances, configured as gateways or authentication virtual servers, are immediately updated with the latest recommended versions of Citrix ADC and Citrix Gateway:

Fiexd versions

• NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases,
• NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0,
• NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS,
• NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS,
• NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP.

Note that NetScaler ADC and NetScaler Gateway version 12.1 have reached their end-of-life stage, and customers are strongly recommended to upgrade to newer versions to ensure continued security and support.

Additionally, Citrix has identified and addressed two other vulnerabilities as part of the update release: CVE-2023-3466 and CVE-2023-3467. These vulnerabilities, with severity scores of 8.3 and 8 respectively, posed risks of reflected cross-site scripting (XSS) and privilege elevation for attackers with authenticated access to the NetScaler appliances' IP address.

Update - The Cybersecurity and Infrastructure Security Agency (CISA) recently released a security advisory that indicates that threat actors have been exploiting a Zero-day vulnerability in Citrix ADC (Application Delivery Controller) and NetScaler Gateways.
Threat actors exploited an unauthenticated, remote code execution vulnerability to drop these webshells on the environment and also attempted to laterally move to the domain controller. However, it was blocked due to network-segmentation controls.

Security researchers revealed on friday 21st July that based on the publicly accessible version information on the servers at least 15,000 appliances are identified as exposed to attacks leveraging the flaw (CVE-2023-3519)

British information assurance firm NCC Group reports that as of 15th of August a threat actor has automated the exploitation of a recent Citrix vulnerability and has infected roughly 2,000 NetScaler instances with a backdoor.

Mandiant has released a free scanner to assist in locating vulnerable versions of the Citrix ADC and Netscaler devices.

Citrix advises organizations with NetScaler ADC and Gateway appliances to prioritize the installation of these updates to safeguard against potential attacks. Additionally, they encourage organizations to conduct investigations to determine whether their systems have been compromised, by examining web shells and monitoring HTTP error logs and shell logs for any anomalies that could indicate initial exploitation.