Citrix has issued an urgent notification to all its customers regarding a critical vulnerability (CVE-2023-3519) detected in NetScaler ADC and NetScaler Gateway. The vulnerability is actively being exploited, posing a serious threat to users' data and systems. To mitigate this risk, it is strongly advised that all users install the latest updated versions as soon as possible.
In addition, there has been a recent disclosure on a hacker forum about a similar security concern, identified as a zero-day vulnerability. Organizations should remain vigilant and take proactive measures to safeguard their systems and data from potential attacks.
Mandatory update
Citrix ADC and Citrix Gateway, formerly known as NetScaler ADC and NetScaler Gateway, have been updated with new versions. These updates aim to address and mitigate a set of three vulnerabilities that were identified in the products.
Citrix has identified a set of vulnerabilities in its products, with the most severe one, tracked as CVE-2023-3519, scoring 9.8 out of 10. This vulnerability allows attackers to remotely execute code without authentication.
To exploit this security issue in attacks, the vulnerable appliance must be configured either as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication virtual server (AAA server).
Citrix has observed exploits of CVE-2023-3519 on unmitigated appliances and has issued a security bulletin, strongly advising customers to update to fixed versions. The recommended versions to switch to are:
NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP
It's worth noting that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage, so customers are strongly advised to upgrade to a newer variant of the product for continued security protection.
Citrix on hacker forum
During the initial week of July, a zero-day vulnerability targeting Citrix ADC was publicly advertised on a hacker forum. While the available information is limited, some hints suggest a possible link to the security bulletin released by Citrix.
In the forum post dated July 6, the author claimed to possess a remote code execution zero-day exploit, supposedly effective on versions of Citrix ADC up to 13.1 build 48.47. However, a conclusive connection to the Citrix security bulletin is yet to be established due to the scarcity of details provided.
According to security experts, defenders anticipated that active exploitation would persist until Citrix provided a solution for the issue.
Organizations are advised to initiate an investigation to determine whether they have been compromised. One way to do this is by searching for web shells that have been created after the last installation date.
Furthermore, anomalies in HTTP error logs might indicate initial exploitation, making it important for administrators to carefully inspect these logs. Additionally, administrators can review shell logs for any unusual commands that may have been executed during the post-exploitation phase.
The updates also address two other vulnerabilities: CVE-2023-3466 and CVE-2023-3467, both of which are of high severity with scores of 8.3 and 8, respectively.
CVE-2023-3466 is classified as a reflected cross-site scripting (XSS) issue. Exploiting this vulnerability requires the victim to load a link from an attacker in their browser, and the vulnerable appliance must be reachable from the same network.
On the other hand, Citrix identifies CVE-2023-3467 as a privilege escalation vulnerability, enabling an attacker to elevate their privileges to those of a root administrator (nsroot). To exploit this flaw, the attacker needs authenticated access to the NetScaler appliances' IP address (NSIP) or a SubNet IP (SNIP) that can access the management interface.
As of now, specific technical details about all three vulnerabilities have not been disclosed to the public. However, organisations with NetScaler ADC and Gateway appliances should give priority to updating their systems to protect against potential exploitation.
Enlisting help from a cyber security company
There are always measures a business can take when it comes to minimising the damage through a cyber attack. Such services can include:
Vulnerability Assessment and Penetration Testing: Thorough vulnerability assessments and penetration tests can be conducted to identify weaknesses and potential entry points in the organization's network, including the Citrix ADC and Gateway appliances. This helps to proactively discover any issues and prioritise their remediation.
Web Application Security Assessment: Cyber security firms can assess the security of web applications hosted on Citrix ADC and Gateway to identify and address any potential XSS vulnerabilities, like CVE-2023-3466.
In conclusion
The identified vulnerabilities in Citrix ADC and Gateway appliances underscore the critical importance of proactive cyber security measures. These vulnerabilities, including the remote code execution flaw (CVE-2023-3519), the reflected cross-site scripting issue (CVE-2023-3466), and the privilege escalation vulnerability (CVE-2023-3467), pose significant threats to organizations' data, systems, and overall security.
To effectively address these risks, organisations should prioritize updating their Citrix appliances to the latest versions provided by the vendor. Engaging with a reputable cyber security company can greatly aid in this process, offering valuable services such as vulnerability assessments, security patch management, incident response planning, and continuous monitoring.
