What is the critical zero-day vulnerability in Citrix ADC and Gateway and how to mitigate it

Citrix recently issued an advisory alerting customers of a critical-severity vulnerability (CVE-2023-3519) in NetScaler ADC and NetScaler Gateway that already has exploits in the wild. To mitigate the risk, Citrix strongly advises its customers to promptly install the latest updates for these products. Interestingly, this security issue might be the same one that was recently advertised as a zero-day vulnerability on a hacker forum.

Vulnerability details:

Citrix has released new versions for its NetScaler products, formerly known as Citrix Application Delivery Controller (ADC) and Citrix Gateway. These updates aim to address a set of three vulnerabilities, with the most severe one being tracked as CVE-2023-3519. This critical vulnerability scored 9.8 out of 10 on the severity scale and allows attackers to execute code remotely without requiring authentication. However, it’s important to note that for hackers to exploit this security issue in their attacks, the vulnerable appliance must be configured either as a gateway (such as VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication virtual server (also known as the AAA server). Immediate installation of the updates is strongly recommended to safeguard against potential exploits.

Tracked as CVE-2023-3519 with a high CVSS score of 9.8, this vulnerability involves a critical case of code injection that could lead to unauthenticated remote code execution. The impacted versions include:

• NetScaler ADC and NetScaler Gateway 13.1 versions before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 versions before 13.0-91.13
• NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
• NetScaler ADC 13.1-FIPS versions before 13.1-37.159
• NetScaler ADC 12.1-FIPS versions before 12.1-55.297
• NetScaler ADC 12.1-NDcPP versions before 12.1-55.297

The company notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage and customers should upgrade to a newer variant of the product.

In addition to CVE-2023-3519, two other vulnerabilities have been addressed:

• CVE-2023-3466 (CVSS score: 8.3) – This vulnerability involves improper input validation, which could lead to a reflected cross-site scripting (XSS) attack.
• CVE-2023-3467 (CVSS score: 8.0) – This vulnerability is related to improper privilege management, potentially allowing privilege escalation to the root administrator (nsroot).

Both CVE-2023-3466 and CVE-2023-3467 are significant security issues that have been fixed in the latest updates.

The impact so far

As per reports from The Cybersecurity and Infrastructure Security Agency (CISA), threat actors have exploited vulnerability CVE-2023-3519 to breach the network of a U.S. organization in the critical infrastructure sector. Hackers leveraged the unauthenticated remote code execution (RCE) flaw to plant a webshell on the target’s non-production NetScaler ADC appliance. The backdoor enabled the hackers to enumerate active directory (AD) objects, which include users, groups, applications, and devices on the network, as well as steal AD data.

Other reports reveal that the CVE-2023-3519 zero-day exploit has likely affected more than 15,000 NetScaler ADC and Gateway servers exposed online.

How to detect if your organization is compromised?

Organizations can check for signs of compromise by running a few checks on the ADC shell interface.

• One way is to start investigating if they’ve been compromised by looking for web shells that are newer than the last installation date.
• HTTP error logs may also reveal anomalies that could indicate initial exploitation. Administrators can also check the shell logs for unusual commands that may be used in the post-exploitation phase.
• Reviewing network/firewall logs for unexpected spikes in AD/LDAP/LDAPS traffic originating from the ADC is important as this may indicate AD/LDAP enumeration.
• Organizations must pay attention to larger outbound transfers from the ADC over a short period of session time as it can be indicative of data exfiltration.

Mitigation measures

For customers using NetScaler ADC and NetScaler Gateway version 12.1, it is strongly recommended to upgrade their appliances to a supported version to mitigate potential threats effectively. By applying the available patches (all the three critical vulnerabilities have been addressed through patches), users can ensure their systems are protected against the identified vulnerabilities.

SISA also recommends that customers follow best cybersecurity practices in production and enterprise environments, including mandating phishing-resistant multifactor authentication (MFA) for all staff and for all services.

As a longer-term effort, applying robust network-segmentation controls on NetScaler appliances, and other internet-facing devices can help mitigate the risk from potential zero-day exploits.