Patch Now: Critical RCE Flaw in Citrix ADC and Gateway Actively Exploited
A critical security vulnerability has been discovered in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway products, demanding immediate attention from IT administrators. This flaw, tracked as CVE-2023-3519, is a severe code injection vulnerability that can lead to unauthenticated remote code execution (RCE).
Making this situation even more urgent, the vulnerability is actively being exploited in the wild. This means threat actors are already using this flaw to attack unpatched systems, making it a race against time to secure your infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed observing active exploitation and has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.
This is not a theoretical threat; it is a clear and present danger to organizations relying on these popular networking appliances.
Understanding the Critical Flaw: CVE-2023-3519
The vulnerability carries a CVSS score of 9.8 out of 10, classifying it as “Critical.” An attacker can exploit this flaw without needing any credentials or user authentication, allowing them to take control of an affected appliance remotely.
For an appliance to be vulnerable, it must be configured in one of the following ways:
- As a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy)
- As an AAA virtual server
An attacker who successfully exploits this vulnerability can execute arbitrary code on the target system. This level of access could allow them to decrypt traffic, pivot to internal networks, install persistent backdoors, or deploy ransomware.
Which Versions Are Affected?
It is crucial to identify if your systems are running a vulnerable version. The following versions of NetScaler ADC and NetScaler Gateway are impacted:
- NetScaler ADC and NetScaler Gateway 13.1 before version 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before version 13.0-91.13
- NetScaler ADC 13.1-FIPS before version 13.1-37.159
- NetScaler ADC 12.1-FIPS before version 12.1-55.297
- NetScaler ADC 12.1-NDcPP before version 12.1-55.297
Important Note: NetScaler ADC and Gateway version 12.1 is now End of Life (EOL) and is also vulnerable. Customers on this version are urged to upgrade to a supported release immediately.
Immediate Action Required: Patch Your Systems Now
The single most important step you can take to protect your organization is to apply the necessary security patches immediately. Delaying the update leaves your critical infrastructure exposed to active attacks.
The fixed versions are:
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later
- NetScaler ADC 12.1-FIPS 12.1-55.297 and later
- NetScaler ADC 12.1-NDcPP 12.1-55.297 and later
Given the active exploitation, this patch should be treated as an emergency change. Do not wait for a scheduled maintenance window.
Beyond the Patch: Hunt for Signs of Compromise
Because this vulnerability was exploited as a zero-day (before a patch was available), simply applying the update is not enough. You must also investigate your systems for any indicators of compromise (IOCs). A skilled attacker could have breached your appliance before the patch was applied and established a persistent foothold.
Security teams should immediately begin forensic analysis, looking for:
- Suspicious Files: Scour web server log files for unusual requests or errors. Look for newly created web shells or unknown files in directories accessible from the web.
- Unusual Processes: Examine running processes for any that are unexpected or running from strange directories.
- Outbound Network Traffic: Monitor for any unusual outbound connections from the NetScaler appliance, as this could indicate a backdoor communicating with a command-and-control server.
- New Local Users or Configuration Changes: Check for any unauthorized modifications to the system’s configuration or the creation of new user accounts.
Proactive threat hunting is essential to ensure your network has not already been compromised. The longer an attacker remains undetected, the more damage they can inflict. Stay vigilant and secure your systems today.
Source: https://www.bleepingcomputer.com/news/security/citrix-fixes-critical-netscaler-rce-flaw-exploited-in-zero-day-attacks/
