NetScaler ADC and Gateway CVE-2023-3519 Actively Exploited

Source Material: Citrix Security Bulletin, CISA, Tenable, BleepingComputer

Executive Summary

Citrix released a security bulletin for 3 CVEs affecting NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).

Citrix stated in their advisory that “exploits of CVE-2023-3519 on unmitigated appliances have been observed.”

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

Insights & Determinations

At this time, the technical details of the vulnerabilities are not known. Furthermore, details of exploitation attempts are not known. Bleeping Computer did report that “organizations can start investigating if they’ve been compromised by looking for web shells that are newer than the last installation date.”

Risk & Impact Assessment

As Netscaler ADC and Gateway provides VPN services to organizations and has been impacted with these types of vulnerabilities and previously used for mass exploitation we thought it pertinent to ensure the community is aware.  See below for examples of Threat Actors leveraging Netscaler vulnerabilities for malicious activities:

• https://www.deepwatch.com/labs/customer-advisory-citrix-adc-and-citrix-gateway-critical-vulnerability-cve-2022-27518-actively-exploited/
• https://www.wiz.io/blog/cve-2022-27518-exploited-in-the-wild-by-apt5-everything-you-need-to-know
• https://www.at-bay.com/articles/likely-first-exploit-citrix-vulnerability/
• https://www.nixu.com/blog/vulnerabilities-citrixnetscaler-appliances-exploited-actively
• https://www.proficio.com/citrix-adc-and-citrix-gateway-vulnerability-cve-2019-19781/

According to Citrix, in order to effectively exploit CVE-2023-3519 the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

Because Netscaler is an appliance, agent based security tools (e.g. EDR, VM, etc.) cannot be installed on them, therefore monitoring should be performed via appliance logs.

Actions & Recommendations

Patch/upgrade/update all affected assets, and for anything that is End of Life (EoL) immediately upgrade to a supported version.

ATI is monitoring the situation and evaluating available information for detection & hunting opportunities, and the VM team is currently identifying affected hosts. Deepwatch will disseminate further details when/if additional information becomes available.

↑