Due to an unauthenticated critical RCE bug, formerly exploited as a zero-day in the wild by the threat actors, thousands of Citrix Netscaler ADC and Gateway servers were exposed.
Threat actors exploited this zero-day vulnerability in June 2023 to drop a web shell on a critical infrastructure organization’s NetScaler ADC, leading to AD data exfiltration.
However, at this point, the lateral movement of the threat actors to the domain controller was prevented by the effective network segmentation controls on the appliance.
Cyber security researchers at Shadowserver Foundation recently revealed that over 15000 Critix servers are vulnerable to this critical code injection attack which is tracked as CVE-2023-3519, and not only that, even the Cybersecurity and Infrastructure Security Agency (CISA) also released a Cybersecurity Advisory (CSA).
Flaw Profile
- CVE ID: CVE-2023-3519
- Description: Unauthenticated remote code execution
- CWE: CWE-94
- CVSS Score: 9.8
- Pre-requisite: Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server
Affected Versions of NetScaler ADC & NetScaler Gateway
Here below, we have mentioned all the affected versions of the NetScaler ADC and NetScaler Gateway:-
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC and NetScaler Gateway version 12.1, now end of life
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-65.36
- NetScaler ADC 12.1-NDcPP before 12.65.36
Exploitation and Patch
On July 18th, Citrix urgently released security updates for the RCE vulnerability (CVE-2023-3519) after observing exploits on unmitigated appliances, urging immediate patch installation.
The zero-day RCE (CVE-2023-3519) for Citrix ADC was likely circulating online from early July when a threat actor advertised it on a hacker or dark web forum.
Besides this, Citrix also addressed two other high-severity flaws tracked as CVE-2023-3466 and CVE-2023-3467 on the same day – one enabling XSS attacks and the other granting root permissions.
The second flaw, with greater impact, demands authenticated access via IP (NSIP) or SubNet IP (SNIP) to the vulnerable appliances’ management interface.
While the recent order from the CISA mandates the U.S. federal agencies to immediately secure Citrix servers against ongoing attacks by the 9th of August after the bug was exploited to breach a critical infrastructure organization’s systems.
Source: https://cybersecuritynews.com/over-15000-citrix-servers-vulnerable/
