NetScaler ADC and Gateway Zero-Day Vulnerability

THE THREAT

On July 18, 2023, Citrix disclosed three vulnerabilities impacting NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway), one of which is confirmed to be exploited in the wild, prior to the release of security patches. The zero-day vulnerability, tracked as CVE-2023-3519 (CVSS: 9.8), may be exploited by a remote and unauthenticated threat actor to achieve code execution. Citrix has not released any details relating to the current exploitation activity targeting NetScaler ADC and Gateway.

As exploitation has been confirmed in the wild, eSentire strongly encourages organizations using Citrix products to update to the most current version as soon as possible.

What we're doing about it

• eSentire Managed Vulnerability Service (MVS) will add the relevant plugins as they become available
• The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities

What you should do about it

• After performing a business impact review, apply the relevant security patches
  • CVE-2023-3519 should be prioritized for immediate patching as exploitation has been confirmed
  • Alternative mitigations are not available at this time

Additional information

While details surrounding CVE-2023-3519 are still minimal, it should be noted, that for successful exploitation of the vulnerability, a vulnerable device must be configured as a Gateway or AAA virtual server. Citrix servers are not configured as Gateways or AAA virtual servers by default. The eSentire Threat Intelligence team will continue to track this vulnerability going forward.

The two other vulnerabilities, disclosed by Citrix in this release, are rated as high severity but have not been exploited in real-world attacks at this time.

• CVE-2023-3466 (CVSS: 8.3) - Reflected Cross-Site Scripting
• CVE-2023-2467 (CVSS: 8.0) - Privilege Escalation to root administrator (nsroot)

Impacted Citrix Products:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-65.36
• NetScaler ADC 12.1-NDcPP before 12.65.36

NetScaler Gateway and NetScaler ADC version 12.1 is out of support and will not receive any additional updates. Organizations using version 12.1 are strongly recommended to update to a supported version as soon as possible.

References:

[1] https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467