Published: July 19, 2023

Overview

Multiple vulnerabilities have been discovered in Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway). CVE-2023-3519 (CVSS score 9.8), CVE-2023-3466 (CVSS score 7.5), and CVE-2023-3467 (CVSS score 7.5) are a set of vulnerabilities found in Citrix ADC and Citrix Gateway. These vulnerabilities allow an attacker to execute arbitrary code on the affected appliance, which could lead to remote code execution, data exfiltration, or denial of service. These vulnerabilities are serious and should be patched as soon as possible.  CISA encourages users and administrators to review the Citrix security bulletin and apply the necessary updates. If you are using NetScaler ADC or NetScaler Gateway, please check the Citrix website for the latest security updates.

Impact

CVE-2023-3466 is a Reflected Cross-Site Scripting (XSS) vulnerability that directs the victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NSIP2. It has a CVSS score of 8.33. 

CVE-2023-3467 is a Privilege Escalation vulnerability that allows escalation to root administrator (nsroot). It requires authenticated access to NSIP or SNIP with management interface access2. It has a CVSS score of 8.03. 

CVE-2023-3519 is a critical Unauthenticated Remote Code Execution vulnerability. The appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server2. According to Citrix, CVE-2023-3519 is being exploited on unmitigated appliances as zero-day bug.  

The impacts of these vulnerabilities can be serious, including remote code execution, data exfiltration, and denial of service. It is important to note that these are just some of the potential impacts of these vulnerabilities. The actual impact of an exploit will depend on the specific configuration of the affected appliance and the skills of the attacker. 

Applicable Versions

Affected VersionsFixed Versions
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases 
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
NetScaler ADC 13.1-FIPS before 13.1-37.159NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS 
NetScaler ADC 12.1-FIPS before 12.1-55.297NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS 
NetScaler ADC 12.1-NDcPP before 12.1-55.297 NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Mitigations and Workarounds

There are a few workarounds that can be used to mitigate the risks posed by CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467: 

  • Disable the web interface. This will prevent attackers from accessing the web interface and exploiting the vulnerabilities.  
  • Configure the appliance to only allow access from known IP addresses. This will help to prevent unauthorized access to the web interface.  
  • Use a firewall to block access to the web interface from the internet. This will further help to prevent unauthorized access to the web interface.  

It is important to note that these workarounds are not a permanent solution. The best way to mitigate the risks posed by these vulnerabilities is to apply the security updates released by Citrix. 

Best Practices

Here are some best practices to prevent CVE-2023-33308 from being exploited and lessen the impact: 

  • Keep your software up to date. This includes applying security updates as soon as they are released.  
  • Use strong passwords and two-factor authentication. This will help to protect your accounts from unauthorized access.  
  • Be aware of the latest threats. Stay informed about the latest security threats so that you can take steps to protect your environment.  

Netsurion Detection and Response

Netsurion researchers are continuously monitoring the exploits of this vulnerability. Our security analysts will be adding the IOCs (Indicators of Compromise – the hashes of malicious files and the IP addresses) to Netsurion’s Threat Center, our threat intelligence platform. This will help detect malicious files and suspicious Command and Control communications to malicious IP addresses to detect the exploitation of this vulnerability. Netsurion’s vulnerability management system will also detect these vulnerabilities (CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467) for customers who have subscribed to Netsurion Vulnerability Management. 

References:

  1. https://www.cisa.gov/news-events/alerts/2023/07/18/citrix-releases-security-updates-netscaler-adc-and-gateway  
  2. https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467  
  3. https://thehackernews.com/2023/07/zero-day-attacks-exploited-critical.html  
  4. https://www.tenable.com/blog/cve-2023-3519-critical-rce-in-netscaler-adc-citrix-adc-and-netscaler-gateway-citrix-gateway  
  5. https://www.bleepingcomputer.com/news/security/new-critical-citrix-adc-and-gateway-flaw-exploited-as-zero-day/  
Cybersecurity Updates
Latest Advisory Alerts

Palo Alto PAN-OS Command Injection Vulnerability

D-Link NAS Command Injection Vulnerability

VMware ESXi, Workstation, and Fusion Vulnerabilities

Latest Data Source Integrations

AWS Key Management Service (KMS)

Have I Been Pwned

SentinelOne

Latest Enhancements

Netsurion Open XDR Now Supports PCI DSS 4.0

Extended Data Source Integrations and Alerts Released for Essentials

Enriched Application Control in Open XDR 9.4