CTI Flash Briefing: Zero-day exploit in the wild for Citrix/NetScaler ADC and Gateway
Breakdown
Citrix alerted customers through a security bulletin that a critical vulnerability (CVE-2023–3519) has been released for NetScaler Application Deliver Controller (ADC) and NetScaler Gateway which is already being exploited in the wild. They have released new versions for both products on three vulnerabilities, including the CVE cited, and recommend patching immediately.
Area of Impact
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.
Overview
The RCE vulnerability is being tracked as CVE-2023–3519. This is an unauthenticated RCE but requires the unpatched appliance to be configured as a gateway or as an authentication virtual server. A hacker forum post from earlier this month advertised a zero-day vulnerability with Citrix ADC but the details provided were not enough to narrow it down to exactly this same vulnerability coming from NetScaler yesterday.
Per BleepingComputer:
For hackers to leverage the security issue in attacks, the vulnerable appliance must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication virtual server (the so-called AAA server).
In a security bulletin today, Citrix says that “exploits of CVE-2023–3519 on unmitigated appliances have been observed” and strongly advises its customers to switch to an updated version that fixes the issue:
· NetScaler ADC and NetScaler Gateway 13.1–49.13 and later releases
· NetScaler ADC and NetScaler Gateway 13.0–91.13 and later releases of 13.0
· NetScaler ADC 13.1-FIPS 13.1–37.159 and later releases of 13.1-FIPS
· NetScaler ADC 12.1-FIPS 12.1–65.36 and later releases of 12.1-FIPS
· NetScaler ADC 12.1-NDcPP 12.1–65.36 and later releases of 12.1-NDcPP
The company notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage and customers should upgrade to a newer variant of the product.
Recommendation
Updates to both products have been provided and installing these updated versions at the earlies possible timeframe is the best course of action.
For threat hunting in your environment:
1. Twitter post from Florian Roth on the IP IOCs related to the vulnerability and a link provided in his post to the VirusTotal Graph. Per a later tweet, another account asked for clarification on context for these IP addresses, Florian stated “one is the source of successful exploitation attempts, the other one appeared in logs”.
a. 216[.]41[.]162[.]172
b. 216[.]51[.]171[.]17
2. Tweet from Malcolm Koegler, a security researcher, with some best practice checks you can run in your own environment to detect compromise or unauthorized changes.
Conclusion
To our current SOC partnerships, please reach out to our SOC team to learn more about the best steps in researching your exposure to this threat. If you have any questions on this on-going event or need any level of security assistance, please reach out to Hunter Strategy and we will be happy to discuss next steps in securing your IT systems!
Contact Us
contact@hunterstrategy.net
