Citrix ADC and Citrix Gateway Vulnerabilities

On July 18th, 2023, Citrix issued an alert to customers regarding a critical vulnerability (CVE-2023-3519) in its NetScaler ADC and NetScaler Gateway products. The security flaw, rated 9.8 out of 10 in severity, allows attackers to execute code remotely without authentication. Exploits for this vulnerability have been observed in the wild, prompting Citrix to strongly urge users to install the latest updates immediately. Additionally, Citrix fixed two other high-severity vulnerabilities (CVE-2023-3466 and CVE-2023-3467) that involve cross-site scripting and privilege escalation. Customers are advised to upgrade to the latest versions of NetScaler ADC and NetScaler Gateway to mitigate the risks posed by these vulnerabilities. As of the advisory date, there is no current technical write-up or proof of concept available for this vulnerability, but it is crucial for organizations to prioritize updates and implement necessary security measures proactively.

Security Advisory Notice:
Citrix ADC and Citrix Gateway Vulnerabilities: (CVE-2023-3466, CVE-2023-3467, CVE-2023-3519)

Affected Software / System

This advisory specifically applies to the following Citrix products:

• Citrix ADC (also known as NetScaler ADC)
• Citrix Gateway (also known as NetScaler Gateway)

The following versions are affected by the vulnerabilities:

• NetScaler ADC and NetScaler Gateway 1 before 13.1-49.13 
• NetScaler ADC and NetScaler Gateway 0 before 13.0-91.13 
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

CVE (if applicable)

• CVE-2023-3466
• CVE-2023-3467
• CVE-2023-3519

Type

There are three types of vulnerabilities for the affected software/systems.

1. CVE-2023-3519 is a CVSSv3 9.8 Critical Severity unauthenticated remote code execution vulnerability. This vulnerability requires that any appliance running the affected software be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
2. CVE-2023-3466 is a CVSSv3 8.3 High Severity Cross-Site Scripting (XSS) vulnerability. This vulnerability requires the victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NSIP.
3. CVE-2023-3467 is a CVSSv3 8.0 High Severity Privilege Escalation vulnerability. This vulnerability requires authenticated access to NSIP or SNIP with management interface access.

Exploit Status: 

The security bulletin from Citrix has noted active instances of threat actors exploiting the most severe vulnerability, CVE-2023-3519, “in the wild” in real-world incidents. It is likely that the other two vulnerabilities could be leveraged in conjunction with the first, following the initial breach by the threat actors. 

Rating

CVE-2023-3466
• CVSSv3 score: 8.3
• Severity: High

CVE-2023-3467
• CVSSv3 score: 8
• Severity: High

CVE-2023-3519
• CVSSv3 score: 9.8
• Severity: Critical

Vulnerability Summary

On July 18th, 2023, Citrix issued an alert to customers regarding a critical vulnerability (CVE-2023-3519) in its NetScaler ADC and NetScaler Gateway products. The security flaw, rated 9.8 out of 10 in severity, allows attackers to execute code remotely without authentication. Exploits for this vulnerability have been observed in the wild, prompting Citrix to strongly urge users to install the latest updates immediately. Additionally, Citrix fixed two other high-severity vulnerabilities (CVE-2023-3466 and CVE-2023-3467) that involve cross-site scripting and privilege escalation. Customers are advised to upgrade to the latest versions of NetScaler ADC and NetScaler Gateway to mitigate the risks posed by these vulnerabilities. As of the advisory date, there is no current technical write-up or proof of concept available for this vulnerability, but it is crucial for organizations to prioritize updates and implement necessary security measures proactively.

Impact

The identified vulnerabilities in the affected software pose significant risks to organizations. CVE-2023-3466, a Cross-Site Scripting (XSS) flaw, can lead to unauthorized data access and manipulation if victims interact with malicious links. CVE-2023-3467, a Privilege Escalation vulnerability, allows attackers with authenticated access to gain root administrator privileges, potentially leading to unauthorized access to critical resources. The most severe of the vulnerabilities, CVE-2023-3519, enables unauthenticated remote code execution, compromising the targeted system completely. Once a system is compromised, there is a high risk of corrupting or ransoming the organization's infrastructure backups, along with the possibility of lateral movement by the threat actor.

Mitigations

Immediately patch and install the latest updates of the affected systems and software. The updated versions of the software are as follows:
• NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
• NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0  
• NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS  
• NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS  
• NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
.

Ingalls MDR Clients Protections:

The Ingalls CTI team is actively engaged in hunting for any of the known indications of compromise at this time and will continue to closely monitor and develop additional detections as they become available. Please notify your assigned Primary Analyst if you suspect that your organization may be breached or require additional threat hunting and analysis.

Ingalls Recommends the Following Actions:

Implement the above mitigation actions on every affected Citrix appliance in your environment and roll out the latest patches as soon as possible.