Critical Citrix ADC and Gateway zero-day exploited

Citrix Systems has issued patches to fix three critical security flaws in Citrix Application Delivery Controller (ADC) and Citrix Gateway that are being actively exploited. These zero-day vulnerabilities were identified by the Common Vulnerabilities and Exposures system as CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467.

Overview of Citrix exploits

The first vulnerability, CVE-2023-3519, which has received a CVSS score of 9.8 out of 10, allows attackers to execute code remotely without authentication. 

The vulnerability has been added to the Known Exploited Vulnerabilities Catalog due to evidence that it is being actively exploited. Citrix has not shared details of the vulnerability but it is known to impact the following versions:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297, and
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

To leverage the vulnerability in an attack the vulnerable appliance must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication virtual server (AAA server)

The other vulnerabilities, CVE-2023-3466 and CVE-2023-3467 have received high severity scores of 8.3 and 8 respectively. CVE-2023-3466 is a reflected cross-site scripting (XSS) attack. XSS attacks are a type of injection that use malicious scripts to compromise user interaction with a vulnerable application. CVE-2023-3467 allows attackers to elevate account privileges to root administrator (nsroot).

Remediating the threat

To mitigate all three vulnerabilities, Citrix is advising that appliances are updated to a version containing a patch for the issues:

• NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
• NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0 
• NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS 
• NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS 
• NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP

To identify whether an application has been compromised administrators can conduct the following exercises:

• Search for web shells that are newer than the last installation date.
• Check HTTP error logs for anomalies that could indicate exploitation.
• Review shell logs for unusual commands that could be used post-exploitation.

Hadrian recommends that the steps above are taken immediately to prevent exploitation and identify any compromises. To verify that all appliances have been patched and the exploit has been mitigated we recommend that you scan your attack surface for vulnerable versions.