Citrix ADC and Gateway zero-day actively exploited in attacks

Citrix today is alerting customers of a critical-severity vulnerability (CVE-2023-3519) in NetScaler ADC and NetScaler Gateway that already has exploits in the wild, and “strongly urges” to install updated versions without delay.

The security issue may be the same one advertised earlier this month on a hacker forum as a zero-day vulnerability.

Mandatory patch

Formerly Citrix ADC and Citrix Gateway, the two NetScaler products received new versions today to mitigate a set of three vulnerabilities.

The most severe of them received a score of 9.8 out of 10 and it is tracked as CVE-2023-3519. An attacker can exploit it to execute code remotely without authentication.

For hackers to leverage the security issue in attacks, the vulnerable appliance must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication virtual server (the so-called AAA server).

In a security bulletin today, Citrix says that “exploits of CVE-2023-3519 on unmitigated appliances have been observed” and strongly advises its customers to switch to an updated version that fixes the issue:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0 
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS 
  • NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS 
  • NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP

The company notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage and customers should upgrade to a newer variant of the product.

Citrix 0day on hacker forum

In the first week of July, someone advertised on a hacker forum a zero-day vulnerability for Citrix ADC. The details are too few to definitely link it to the Citrix security bulletin today but the little clues available appear to point to it.

The author of the post said on July 6 that they had a remote code execution zero-day that allegedly worked for versions of Citrix ADC up to 13.1 build 48.47.

Ad on hacker forum offering Citrix 0day

BleepingComputer also received a tip a while ago that Citrix had learned of a zero-day advertisement on a cybercrime forum and was working on a patch before disclosing the problem.

Defenders knowing about the issue said that they expected active exploitations to continue until Citrix released a fix.

Organizations can start investigating if they’ve been compromised by looking for web shells that are newer than the last installation date.

HTTP error logs may also reveal anomalies that could indicate initial exploitation. Administrators can also check the shell logs for unusual commands that may be used in the post-exploitation phase.

XSS and privilege escalation

The updates also include fixes for two other vulnerabilities identified as CVE-2023-3466 and CVE-2023-3467. Both have a high severity score of 8.3 and 8, respectively.

CVE-2023-3466 is a reflected cross-site scripting (XSS) issue that can be exploited if a victim loads in the browser a link from an attacker and the vulnerable appliance is reachable from the same network.

Citrix lists CVE-2023-3467 as a vulnerability that allows an attacker to elevate privileges to those of a root administrator (nsroot).

Leveraging this flaw requires authenticated access to the NetScaler appliances IP address (NSIP) or a SubNet IP (SNIP) with access to the management interface.

At the time of writing, technical details about all three vulnerabilities are not publicly available but organizations with NetScaler ADC and Gateway appliances should prioritize updating them.

Source: www.bleepingcomputer.com