Introduction
We would like to bring your attention to a serious security threat that has recently emerged, which could have significant consequences for your organisation's operations.
Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway), one of which is a zero day. CVE-2023-3519 is rated as Critical, with a CVSS score of 9.8, and can potentially lead to remote code execution on an organisations network.
This vulnerability is actively being exploited in attacks, with thousands of devices at risk globally. CISA has also released a security Alert and encourages users and administrators to review the Citrix security bulletin and apply the necessary updates.
In this blog post, we will explain the impact of this threat in simple terms, highlighting the importance of addressing it promptly to safeguard your organisation.
The Threat
Citrix NetScaler refers to the Application Delivery Controller, or ADC, line of products, while the NetScaler Gateway, formerly known as the Citrix Access Gateway, or CAG, is primarily used for secure remote access to XenDesktop and/or XenApp environments.
Unfortunately, cybercriminals recently discovered and are exploiting a zero-day vulnerability in the software. A zero-day vulnerability refers to a security flaw that is discovered and exploited by attackers before the software vendor becomes aware of it or has a chance to develop a patch or fix. A dark web post revealing the exploit for the Citrix-associated remote code execution (RCE) vulnerability surfaced just before Citrix made their official announcement. Reportedly, the alleged exploit affects versions that are 13.1-48.7 or older.
CVE-2023-3519 allows unauthenticated remote attackers to execute arbitrary code on the affected appliance. It can be exploited if the appliance is set up as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server and allows an attacker to gain access to the targeted system through a network connection without requiring any privileges or user interaction.
The Consequences
The impact of this vulnerability can be severe and far-reaching. Since it is actively exploited in the wild, it poses significant risks to organisations that use the affected versions of Citrix products. The potential impact of successful exploitation includes:
Unauthorized Remote Code Execution: The vulnerability allows attackers to inject malicious code into the affected system remotely and execute it without authentication. This means that attackers can gain control over the vulnerable device and potentially compromise the entire network it is connected to, as well as disrupting normal business operations
Data Breaches: Attackers can gain access to sensitive data, including customer information, intellectual property, financial records, and other confidential data. A data breach can have serious legal, financial, and reputational consequences for the affected organisation.
Unauthorised Access to Network Resources: If the vulnerable device is configured as a Gateway or an authorisation and accounting virtual server, attackers can potentially bypass security controls and gain unauthorised access to other network resources and sensitive information.
Other potential impacts include financial losses, reputational damage, and legal consequences.
Potential Widespread Impact
According to Shodan, approximately 60,000 Citrix Netscaler Gateways are currently accessible online worldwide. It is still early days, however, it is expected that the exploitation rate of this zero day will increase in the coming weeks.
In the past, attackers have consistently targeted Citrix's ADC and Gateway appliances. For example, in December 2022, Citrix had to address a critical Remote Code Execution (RCE) vulnerability, CVE-2022-27518, in these products, which was actively exploited.
Back in late 2019, another unauthenticated RCE vulnerability, CVE-2019-19781, was disclosed for ADC and Gateway appliances. It quickly became a favourite target for various threat actors, including state-sponsored groups from China, Iran, and Russia, as well as ransomware operators.
Considering the historical pattern of exploitation against ADC and Gateway appliances, we strongly recommend that organisations promptly patch CVE-2023-3519 to secure their systems. CISA have issued a security alert and it is anticipated that this vulnerability will also be added to CISA’s Known Exploited Vulnerabilities Catalog.
Immediate Actions
Due to the seriousness of this vulnerability, it is crucial to act swiftly to safeguard your organisation. Citrix has issued guidance on impacted versions, software upgrades, and patches. It is vital to carefully review this advice and promptly update your Citrix software to a secure version.
Organisations can also initiate an investigation to determine if they have been compromised by searching for web shells created after the last installation date.
Additionally, examining HTTP error logs might uncover anomalies suggestive of initial exploitation. Administrators can also review shell logs for any unusual commands that might have been employed during the post-exploitation phase.
At the time of writing, two IP addresses were disclosed on VirusTotal as potential IOCs, one of which is the source of successful exploitation attempts, and one which has appeared in logs. These can aid network defenders as part of any threat hunting tasks.
216[.]41[.]162[.]172
216[.]51[.]171[.]17
Affected Versions
The following versions of NetScaler ADC and NetScaler Gateway have been identified as vulnerable to this exploit:
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
NetScaler ADC 13.1-FIPS before 13.1-37.159
NetScaler ADC 12.1-FIPS before 12.1-55.297
NetScaler ADC 12.1-NDcPP before 12.1-55.297
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.
Update - 15th August '23
Recent developments include the public dissemination of proof-of-concepts aimed at taking advantage of this vulnerability. Moreover, instances of exploiting this vulnerability have been observed in real-world situations, that have been attributed to a threat actor group with ties to China. This attribution is drawn from their historical focus on Citrix ADCs and known capabilities.
When Cytidel initially reported on this vulnerability, the EPSS score was “Pending”. As we continue to monitor for developments, we have observed the EPSS increase from 4.6% in late July, to 91.2% as of today, August 15th 2023.
30-Day EPSS graph from Cytidel's Advanced Vulnerability Intelligence Database
In response to these emerging concerns, Mandiant has introduced a utility designed to aid organizations in analysing their Citrix devices for signs of post-exploitation activities associated with CVE-2023-3519:
Developed in partnership with Citrix, this utility encompasses indicators of compromise (IOCs) compiled from Mandiant's investigations, as well as contributions from their associates and the wider community.
Its objective is to assess system forensic artifacts and available log sources to uncover signs of successful CVE-2023-3519 exploitation.
If any indications of compromise arise, organizations are advised to carry out a forensic assessment of the affected system to determine the extent and nature of the incident.
Mandiant strongly advises utilizing the scanner on all susceptible appliances that have had internet connectivity at any point.
As outlined by Mandiant, it is important to understand that this tool aims to identify ongoing compromises, yet is not immune to errors and does not establish the device's susceptibility to exploitation. Also note that installing the Citrix update does not eradicate any potential malware residing on the device.
The standalone Bash script can be downloaded from the GitHub repository, and comprehensive instructions can be found in the README for guidance on running it against a device or forensic image.
Keep your organisation ahead of threats with Cytidel Threat Intelligence
To find out more about Cytidel’s threat intelligence offering, visit
Stay safe and secure!
The Cytidel Threat Intelligence Team
Comments