Source: heimdalsecurity.com – Author: Livia Gyongyoși
Citrix urged customers to patch NetScaler ADC and Gateway products after discovering a critical-severity zero-day vulnerability. The flaw was dubbed CVE-2023-3519, ranked 9.8 on the CVSS, and was observed exploited in the wild.
The company released updated versions of the affected products and alerted its customers to patch immediately.
What`s at Risk
Researchers announced that hackers can exploit CVE-2023-3519 to perform unauthenticated remote code execution.
The Citrix zero-day vulnerability is known to impact the following versions of the NetScaler ADC and Gateway products:
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297, and
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
In order for the exploit to work, according to the company,
the Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
Apart from the zero-day, researchers found two more CVEs impacting Citrix products:
- CVE-2023-3466 (CVSS score: 8.3) – Enables reflected Cross-Site Scripting (XSS), which could result in unauthorized execution of malicious scripts. For it to be exploited, threat actors have to trick their target to click a malicious link in the browser. Also, the victim should be on a network with connectivity to the NSIP.
- CVE-2023-3467 (CVSS score: 8.0) – Enables privilege escalation to the root administrator (nsroot). In this case, authenticated access to NSIP or SNIP with management interface access is required.
Signs of Compromise and Security Measures
Finding web shells that are more recent than the last installation date could be an indicator of compromise (IoC). In addition, according to Bleepingcomputer.com:
HTTP error logs may also reveal anomalies that could indicate initial exploitation. Administrators can also check the shell logs for unusual commands that may be used in the post-exploitation phase.
Companies should update the aforementioned versions to:
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP
Although NetScaler ADC and NetScaler Gateway version 12.1 are also on the list of affected products, they were not patched. Both have reached the end-of-life stage, consequently, customers are advised to upgrade to a more recent version.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
If you liked this post, you will enjoy our newsletter.
Get cybersecurity updates you’ll actually want to read directly in your inbox.
Original Post URL: https://heimdalsecurity.com/blog/citrix-zero-day-exploited/
Category & Tags: Cybersecurity News – Cybersecurity News
