Today, Citrix alerts customers of a critical-severity vulnerability (CVE-2023-3519) in NetScaler ADC and NetScaler Gateway that already has exploits in the wild and “strongly urges” to install updated versions without delay.
The security issue may be the one advertised earlier this month on a hacker forum as a zero-day vulnerability.
Formerly Citrix ADC and Citrix Gateway, the two NetScaler products, received new versions today to mitigate three vulnerabilities.
The most severe of them received a score of 9.8 out of 10, which is tracked as CVE-2023-3519. An attacker can exploit it to execute code remotely without authentication.
For hackers to leverage the security issue in attacks, the vulnerable appliance must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an authentication virtual server (the so-called AAA server).
In a security bulletin today, Citrix says that “exploits of CVE-2023-3519 on unmitigated appliances have been observed” and strongly advises its customers to switch to an updated version that fixes the issue:
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP
The company notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage, and customers should upgrade to a newer product variant.
Citrix 0day on a hacker forum
In the first week of July, someone advertised a zero-day vulnerability for Citrix ADC on a hacker forum. The details are too few to link to the Citrix security bulletin today, but the little clues available appear to point to it.
The post’s author said on July 6 that they had a remote code execution zero-day that allegedly worked for versions of Citrix ADC up to 13.1 build 48.47.
Defenders knowing about the issue said they expected active exploitations to continue until Citrix released a fix.
Organizations can start investigating if they’ve been compromised by looking for newer web shells than the last installation date.
HTTP error logs may also reveal anomalies that could indicate initial exploitation. Administrators can also check the shell logs for unusual commands in the post-exploitation phase.
XSS and privilege escalation
The updates also include fixes for two other vulnerabilities identified as CVE-2023-3466 and CVE-2023-3467. Both have a high severity score of 8.3 and 8, respectively.
CVE-2023-3466 is a reflected cross-site scripting (XSS) issue that can be exploited if a victim loads a link from an attacker in the browser and the vulnerable appliance is reachable from the same network.
Citrix lists CVE-2023-3467 as a vulnerability that allows an attacker to elevate privileges to those of a root administrator (nsroot).
Leveraging this flaw requires authenticated access to the NetScaler appliances IP address (NSIP) or a subnet IP (SNIP) with access to the management interface.
At the time of writing, technical details about all three vulnerabilities are not publicly available but organizations with NetScaler ADC and Gateway appliances should prioritize updating them.