Critical Zero-Day Vulnerability in Citrix NetScaler ADC and NetScaler Gateway

On Tuesday, July 18, Citrix published a security bulletin warning users of three new vulnerabilities affecting NetScaler ADC and NetScaler Gateway. Of the three vulnerabilities, CVE-2023-3519 is the most severe—successful exploitation allows unauthenticated attackers to execute code remotely on vulnerable target systems that are configured as a Gateway.

• CVE-2023-3466: Reflected XSS vulnerability—successful exploitation requires the victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NetScaler IP (NSIP)
• CVE-2023-3467: Allows for privilege escalation to root administrator (nsroot)
• CVE-2023-3519: Unauthenticated remote code execution—NOTEthat the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

According to the advisory, CVE-2023-3519 has been exploited in the wild.

On July 20, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a detailed bulletin on observed attacker activity. The bulletin notes that threat actors exploited CVE-2023-5319 as a zero-day “to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data.”

This product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly. Rapid7 strongly recommends updating to a fixed version on an emergency basis, without waiting for a typical patch cycle to occur.** **See the Citrix advisory for more information.

Affected Products

According to Citrix, the following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-65.36
• NetScaler ADC 12.1-NDcPP before 12.65.36

The advisory notes that NetScaler ADC and NetScaler Gateway version 12.1 is End Of Life (EOL) and is vulnerable. Citrix recommends that customers who are using an EOL version upgrade their appliances to one of the supported fixed versions below.

All three CVEs are remediated in the following fixedproduct versions:

• NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
• NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
• NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
• NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
• NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP

Mitigation guidance

Patches are available for vulnerable versions of NetScaler ADC and NetScaler Gateway and should be applied on an emergency basis. For more information, see Citrix’s advisory.

CISA’s bulletin has an extensive list of attacker behaviors and artifacts that may aid in threat hunting.

Rapid7 customers

Authenticated vulnerability checks for all three CVEs are available to InsightVM and Nexpose customers as of the July 18, 2023 content update.