Patch Released for Actively Exploited Citrix NetScaler Zero Day Vulnerability
Citrix has released patches to fix three vulnerabilities that affect the Netscaler Application Delivery Controller (ADC) and NetScaler Gateway appliances – formerly Citrix ADC/Citrix Gateway – including an actively exploited zero day bug that is being actively exploited in the wild.
The solutions are used by healthcare organizations for remote access/single sign-on and improving the performance, security, and resiliency of application delivery, including electronic medical records. The extent to which the vulnerability is being exploited has not been confirmed by Citrix; however, security researchers expect the vulnerability to be widely exploited now the vulnerability has been announced as vulnerabilities in Citrix appliances are targeted by hackers of all skill levels.
The critical flaw is tracked as CVE-2023-3519 and has been assigned a CVSS v3.1 severity score of 9.8 out of 10. Successful exploitation of the flaw would allow a remote, unauthenticated attacker to execute code on a vulnerable appliance. The vulnerability can be exploited if the appliance is running a vulnerable version and is configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an authentication virtual server (AAA server).
According to CISA, CVE-2023-3519 was exploited in an attack on a critical infrastructure organization to drop a web shell on its non-production NetScaler ADC appliance. The web shell allowed the threat actor to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors then attempt to move laterally to a domain controller, although in this case, the lateral moment was blocked by network segmentation controls. Further information on the tactics, techniques, and procedures used in the attack, along with detection methods and mitigations, have been published by CISA here.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The other two high-severity vulnerabilities are not believed to have been exploited at the time of the announcement. They are a cross-site scripting vulnerability – CVE-2023-3466 – which has a CVSS severity score of 8.3. The vulnerability can be exploited if the victim accesses an attacker-controlled link in a browser while on a network with connectivity to the NetScaler IP. The other vulnerability – CVE-2023-3467 – is a privilege escalation flaw with a CVSS score of 8.0. Exploitation allows privilege escalation to root administrator (nsroot). An attacker could exploit the flaw with authenticated access to NSIP or SNIP with management interface access.
The vulnerabilities have been fixed in the following Netscaler ADC and NetScaler Gateway versions:
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
Customers that are still using version 12.1 have been advised to upgrade to a supported version, as version 12.1 has reached end-of-life.
The cybersecurity firm Manidant has analyzed an active campaign in which threat actors are exploiting the vulnerability to plant web shells on vulnerable systems as part of the initial exploitation vector and used the web shells to modify the Netscaler configuration and believes the vulnerability has been exploited by Chinese espionage actors. The Shadowserver Foundation identified more than 15,000 Citrix servers worldwide that are at risk of compromise. CISA reports that the vulnerability has been exploited to attack at least one critical infrastructure firm in the United States.
