Contents:
Citrix urged customers to patch NetScaler ADC and Gateway products after discovering a critical-severity zero-day vulnerability. The flaw was dubbed CVE-2023-3519, ranked 9.8 on the CVSS, and was observed exploited in the wild.
The company released updated versions of the affected products and alerted its customers to patch immediately.
What`s at Risk
Researchers announced that hackers can exploit CVE-2023-3519 to perform unauthenticated remote code execution.
The Citrix zero-day vulnerability is known to impact the following versions of the NetScaler ADC and Gateway products:
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297, and
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
In order for the exploit to work, according to the company,
the Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
Apart from the zero-day, researchers found two more CVEs impacting Citrix products:
- CVE-2023-3466 (CVSS score: 8.3) – Enables reflected Cross-Site Scripting (XSS), which could result in unauthorized execution of malicious scripts. For it to be exploited, threat actors have to trick their target to click a malicious link in the browser. Also, the victim should be on a network with connectivity to the NSIP.
- CVE-2023-3467 (CVSS score: 8.0) – Enables privilege escalation to the root administrator (nsroot). In this case, authenticated access to NSIP or SNIP with management interface access is required.
Signs of Compromise and Security Measures
Finding web shells that are more recent than the last installation date could be an indicator of compromise (IoC). In addition, according to Bleepingcomputer.com:
HTTP error logs may also reveal anomalies that could indicate initial exploitation. Administrators can also check the shell logs for unusual commands that may be used in the post-exploitation phase.
Companies should update the aforementioned versions to:
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP
Although NetScaler ADC and NetScaler Gateway version 12.1 are also on the list of affected products, they were not patched. Both have reached the end-of-life stage, consequently, customers are advised to upgrade to a more recent version.
Update August 2023
A recent report has highlighted the actions of a threat actor associated with the FIN8 hacking group, who are taking advantage of a critical vulnerability within Citrix NetScaler systems.
Despite security updates being available for over a month, more than 31,000 instances of Citrix NetScaler remain vulnerable to this flaw.
Attribution to the FIN8 group is based on shared tactics, techniques, and procedures (TTPs) with previous attacks. These activities include the use of similar infrastructure, hosting services, PowerShell scripts, and the adoption of the PuTTY Secure Copy Protocol for file transfers. These patterns were recognized before the integration of the Citrix vulnerability in mid-August.
In response to this threat, organizations are advised to conduct an indicator of compromise (IOC) check on their NetScaler systems, even if they’ve applied the necessary patch. Furthermore, organizations should enhance their defensive strategies by consistently monitoring network behavior for anomalies, regularly performing security assessments, and educating their staff about potential threats and attack methods.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube, for more cybersecurity news and topics.