On Tuesday, July 18, Citrix published a security bulletin warning users of three new vulnerabilities affecting NetScaler ADC and NetScaler Gateway. Of the three vulnerabilities, CVE-2023-3519 is the most severe—successful exploitation allows unauthenticated attackers to execute code remotely on vulnerable target systems that are configured as a Gateway.
According to the advisory, CVE-2023-3519 has been exploited in the wild.
On July 20, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a detailed bulletin on observed attacker activity. The bulletin notes that threat actors exploited CVE-2023-5319 as a zero-day “to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data.”
This product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly. Rapid7 strongly recommends updating to a fixed version on an emergency basis, without waiting for a typical patch cycle to occur.** **See the Citrix advisory for more information.
According to Citrix, the following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
The advisory notes that NetScaler ADC and NetScaler Gateway version 12.1 is End Of Life (EOL) and is vulnerable. Citrix recommends that customers who are using an EOL version upgrade their appliances to one of the supported fixed versions below.
All three CVEs are remediated in the following fixedproduct versions:
Patches are available for vulnerable versions of NetScaler ADC and NetScaler Gateway and should be applied on an emergency basis. For more information, see Citrix’s advisory.
CISA’s bulletin has an extensive list of attacker behaviors and artifacts that may aid in threat hunting.
Authenticated vulnerability checks for all three CVEs are available to InsightVM and Nexpose customers as of the July 18, 2023 content update.