Citrix ADC and Citrix Gateway Security Vulnerabilities

Citrix ADC and Citrix Gateway Security Vulnerabilities Announcement for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

Bulletin Summary:

Citrix has identified multiple vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). These vulnerabilities pose critical security risks to organizations utilizing these products. Of particular concern is the presence of an unauthenticated remote code execution vulnerability, which allows attackers to execute arbitrary code on affected servers without requiring any authentication. Other vulnerabilities include reflected cross-site scripting (XSS) attacks, and privilege escalation to root administrator.

Affected Products:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

Please note that NetScaler ADC and NetScaler Gateway version 12.1 is now End of Life (EOL) but remains vulnerable.

Vulnerability Details:

1. CVE-2023-3519: Unauthenticated Remote Code Execution (CVSS: 9.8)
   • This vulnerability allows remote attackers to execute arbitrary code on a vulnerable server.
   • Exploitation requires the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server.
   • The vulnerability is rated as critical and Citrix reports that “Exploits of CVE-2023-3519 on unmitigated appliances have been observed.”
2. CVE-2023-3466: Reflected Cross-Site Scripting (XSS) (CVSS: 8.3)
   • This vulnerability enables an attacker to perform an XSS attack by tricking a victim into accessing an attacker-controlled link while connected to the same network.
3. CVE-2023-3467: Privilege Escalation to root administrator (nsroot) (CVSS: 8.0)
   • Authenticated access to NSIP or SNIP with management interface access can lead to privilege escalation to the root administrator.

Recommended Actions:

1. Cloud Software Group strongly advises affected customers to install the relevant updated versions as soon as possible. Ensure that you are using one of the following fixed releases or later:
   • NetScaler ADC and NetScaler Gateway 13.1-49.13
   • NetScaler ADC and NetScaler Gateway 13.0-91.13
   • NetScaler ADC 13.1-FIPS 13.1-37.159
   • NetScaler ADC 12.1-FIPS 12.1-55.297
   • NetScaler ADC 12.1-NDcPP 12.1-55.297
2. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not affected by this bulletin.
3. Organizations with NetScaler ADC and NetScaler Gateway version 12.1 should upgrade their appliances to a supported version immediately to mitigate potential threats.

Additional Information:

• Citrix ADC and Gateway appliances have been targeted by attackers in the past, making prompt patching crucial.
• A recent zero-day vulnerability for Citrix ADC was advertised on a hacker forum, highlighting the importance of fixing security flaws promptly. The author of the post said that they had a remote code execution zero-day that allegedly worked for versions of Citrix ADC up to 13.1 build 48.47.
• As of now, there was no proof-of-concept available for CVE-2023-3519.

The SOC teams of OBRELA remain vigilant and are closely monitoring clients’ infrastructure regarding potential exploitation attempts and IoCs.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2023-3519
• https://nvd.nist.gov/vuln/detail/CVE-2023-3466
• https://nvd.nist.gov/vuln/detail/CVE-2023-3467
• https://thehackernews.com/2023/07/zero-day-attacks-exploited-critical.html?&web_view=true
• https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
• https://www.tenable.com/blog/cve-2023-3519-critical-rce-in-netscaler-adc-citrix-adc-and-netscaler-gateway-citrix-gateway