Citrix is alerting customers of a critical unauthenticated remote code execution vulnerability in NetScaler ADC and NetScaler Gateway. This vulnerability is being exploited in the wild and affected customers are strongly urged to install updated versions as soon as possible.
Tracked as CVE-2023-3519 (CVSSv3 score: 9.8 – Critical), the vulnerability allows unauthenticated remote attackers to execute arbitrary code on the affected appliance. Successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The flaw only affects customer-managed NetScaler ADC and NetScaler Gateway. Citrix-managed cloud services or Citrix-managed Adaptive Authentication are unaffected.
There are approximately 38,000 Citrix Gateway appliances exposed to the public internet. CVE-2023-3519 is one of three vulnerabilities patched that pose significant risks to customers. The others are CVE-2023-3466 (CVSSv3 score: 8.3 – High) and CVE-2023-3467 (CVSSv3 score: 8.0 – High). CVE-2023-3466 is an improper input validation vulnerability resulting in a reflected cross-site scripting (XSS) attack. CVE-2023-3467 is an improper privilege management vulnerability resulting in privilege escalation to the root administrator (nsroot).
At the time of writing, technical details about all three vulnerabilities are not publicly available.
SecurIT360 SOC Managed Services
If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.
As always, if we detect activity related to these exploits, we will alert you if warranted.
Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.
Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.
Vulnerable Products
All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet.
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-65.36
- NetScaler ADC 12.1-NDcPP before 12.65.36
Recommendation
All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet.
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
Security Bulletin
Resources & Related Articles
