Citrix has released an urgent advisory about a high-risk vulnerability (CVE-2023-3519) in its NetScaler ADC and NetScaler Gateway products. Existing exploits for this vulnerability have been identified, and Citrix is emphasizing the immediate need for users to apply the update.

This vulnerability may correspond to the one discussed on a hacker forum earlier this month, touted as a zero-day exploit.

Important Update Details

The products, originally labeled as Citrix ADC and Citrix Gateway, now have updated versions to address a trio of security issues. The most critical, with a rating of 9.8 out of 10, is identified as CVE-2023-3519. This flaw permits attackers to remotely run code without requiring authentication.

For a successful exploit, the compromised appliance needs to be set either as a type of gateway (e.g., VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an authentication virtual server (referred to as AAA server).

Citrix’s recent security update revealed observed incidents of CVE-2023-3519 exploits on unsecured appliances. They advocate shifting to the following corrected versions:

NetScaler ADC and NetScaler Gateway 13.1-49.13 and subsequent iterations.
NetScaler ADC and NetScaler Gateway 13.0-91.13 and following 13.0 versions.
NetScaler ADC versions from 13.1-FIPS 13.1-37.159 onwards.
NetScaler ADC versions from 12.1-FIPS 12.1-65.36 onwards.
NetScaler ADC versions from 12.1-NDcPP 12.1-65.36 onwards.
It’s noteworthy that NetScaler ADC and NetScaler Gateway’s 12.1 version have reached their lifecycle’s end, prompting users to consider an upgrade.

Zero-Day Speculations in Hacker Circles

An individual claimed a Citrix ADC zero-day exploit in a hacker forum during the early days of July. While the exact details remain sparse, this might be linked to the recent Citrix advisory. The individual asserted possession of a functional remote code execution zero-day for Citrix ADC versions up to the 13.1 build 48.47 release.

Security experts had anticipated ongoing malicious activities until a fix was rolled out. Entities can ascertain compromises by identifying web shells added after the last known installation. Anomalies in HTTP error logs could also be indicative of exploitation, and scrutinizing shell logs for irregular commands might provide added clarity.

Additional Vulnerability Rectifications

The current updates also address two more vulnerabilities, namely CVE-2023-3466 and CVE-2023-3467, ranked 8.3 and 8 in severity, respectively.

CVE-2023-3466 pertains to a reflected cross-site scripting (XSS) vulnerability. It becomes exploitable if a victim, positioned on the same network, accesses a malicious link when the vulnerable device is online.

CVE-2023-3467 lets attackers attain elevated administrative rights. For this, attackers need authenticated access to either the NetScaler device’s primary IP or a connected SubNet IP with management capabilities.

At present, detailed breakdowns of these vulnerabilities are not open to the public. Organizations utilizing NetScaler ADC and Gateway devices should prioritize these updates for optimal security.