Heimdal
Home > Cybersecurity News

Zero-Day Alert! Critical Flaw in Citrix ADC and Gateway Exploited in the Wild (Updated)

CVE-2023-3519 Can Enable Unauthenticated Remote Code Execution.

Last updated on August 31, 2023

article featured image

Contents:

Citrix urged customers to patch NetScaler ADC and Gateway products after discovering a critical-severity zero-day vulnerability. The flaw was dubbed CVE-2023-3519, ranked 9.8 on the CVSS, and was observed exploited in the wild.

The company released updated versions of the affected products and alerted its customers to patch immediately.

What`s at Risk

Researchers announced that hackers can exploit CVE-2023-3519 to perform unauthenticated remote code execution.

The Citrix zero-day vulnerability is known to impact the following versions of the NetScaler ADC and Gateway products:

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-55.297, and
  • NetScaler ADC 12.1-NDcPP before 12.1-55.297

In order for the exploit to work, according to the company,

the Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

Source

Apart from the zero-day, researchers found two more CVEs impacting Citrix products:

  • CVE-2023-3466 (CVSS score: 8.3) – Enables reflected Cross-Site Scripting (XSS), which could result in unauthorized execution of malicious scripts. For it to be exploited, threat actors have to trick their target to click a malicious link in the browser. Also, the victim should be on a network with connectivity to the NSIP.
  • CVE-2023-3467 (CVSS score: 8.0) – Enables privilege escalation to the root administrator (nsroot). In this case, authenticated access to NSIP or SNIP with management interface access is required.

Signs of Compromise and Security Measures

Finding web shells that are more recent than the last installation date could be an indicator of compromise (IoC). In addition, according to Bleepingcomputer.com:

HTTP error logs may also reveal anomalies that could indicate initial exploitation. Administrators can also check the shell logs for unusual commands that may be used in the post-exploitation phase.

Companies should update the aforementioned versions to:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP

Although NetScaler ADC and NetScaler Gateway version 12.1 are also on the list of affected products, they were not patched. Both have reached the end-of-life stage, consequently, customers are advised to upgrade to a more recent version.

Update August 2023

A recent report has highlighted the actions of a threat actor associated with the FIN8 hacking group, who are taking advantage of a critical vulnerability within Citrix NetScaler systems.

Despite security updates being available for over a month, more than 31,000 instances of Citrix NetScaler remain vulnerable to this flaw.

Attribution to the FIN8 group is based on shared tactics, techniques, and procedures (TTPs) with previous attacks. These activities include the use of similar infrastructure, hosting services, PowerShell scripts, and the adoption of the PuTTY Secure Copy Protocol for file transfers. These patterns were recognized before the integration of the Citrix vulnerability in mid-August.

In response to this threat, organizations are advised to conduct an indicator of compromise (IOC) check on their NetScaler systems, even if they’ve applied the necessary patch. Furthermore, organizations should enhance their defensive strategies by consistently monitoring network behavior for anomalies, regularly performing security assessments, and educating their staff about potential threats and attack methods.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube, for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Related Articles

Automated Patch Management Explained: Definition, Benefits, Best Practices & MoreWhat Is an Exploit? Definition, Types, and Prevention MeasuresWhat Is Vulnerability Assessment?What Is a Remote Code Execution Attack? Definition, Risks, and Mitigation MeasuresRemote Code Execution vs. Reverse Shell Attacks – Staging, Purpose, and ImpactVulnerability Management Lifecycle [Step by Step Through the Process]What Is a CVE? Common Vulnerabilities and Exposures ExplainedIndicators of Compromise (IoCs) and Their Importance in CybersecurityDefining Zero-Day VulnerabilityWhat Is an XSS Attack? Definition, Types, Prevention

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V