CVE-2023-3519: Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)
Citrix has released a patch fixing a remote code execution vulnerability in several versions of Netscaler ADC and Netscaler Gateway that has been exploited. Organizations are urged to patch immediately.
Update September 6: The blog has been updated to include additional information from CISA in an update to a previously released cybersecurity advisory.
Background
On July 18, Citrix published a security bulletin (CTX561482) that addresses a critical remote code execution (RCE) vulnerability in Netscaler ADC (formerly known as Citrix ADC) and and Netscaler Gateway (formerly known as Citrix Gateway).
| CVE | Description | CVSSv3 | Severity |
|---|---|---|---|
| CVE-2023-3519 | Unauthenticated Remote Code Execution vulnerability | 9.8 | Critical |
In addition to CVE-2023-3519, Citrix patched two additional vulnerabilities in its ADC and Gateway appliances:
| CVE | Description | CVSSv3 | Severity |
|---|---|---|---|
| CVE-2023-3466 | Reflected Cross-Site Scripting (XSS) vulnerability | 8.3 | High |
| CVE-2023-3467 | Privilege Escalation to root administrator (nsroot) vulnerability | 8.0 | High |
Analysis
CVE-2023-3519 is a RCE vulnerability in Netscaler ADC and Netscaler Gateway. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary code on a vulnerable server. For a target appliance to be vulnerable to exploitation, it must be configured as a Gateway (e.g. VPN, ICA Proxy, CVP, RDP Proxy) or an AAA virtual server. The vulnerability is rated as critical and Citrix reports that “Exploits of CVE-2023-3519 on unmitigated appliances have been observed.”
ADC and Gateway Historically Targeted by Attackers
Citrix’s ADC and Gateway appliances have been a valuable target for attackers in the past. For instance,in December 2022, Citrix patched another critical RCE vulnerability, CVE-2022-27518, in Citrix ADC and Gateway, that was also being exploited.
Following the disclosure of CVE-2019-19781, another unauthenticated RCE vulnerability in ADC and Gateway appliances in late 2019, active exploitation began in early 2020 and it remained a popular vulnerability with a variety of attackers including Chinese state-sponsored threat actors, Iranian-based threat actors, Russian state-sponsored threat groups as well as ransomware groups. Additionally, CVE-2019-19781 was featured as one of the Top 5 vulnerabilities in our 2020 Threat Landscape Retrospective report.
Due to the historical nature of exploitation against ADC and Gateway appliances, we strongly urge organizations to patch CVE-2023-3519 as soon as possible.
Proof of concept
At the time that this blog post was published, there was no proof-of-concept available for CVE-2023-3519.
Solution
Citrix detailed the affected and fixed versions in its security bulletin for CVE-2023-3519.
| Affected Product | Affected Version | Fixed Version |
|---|---|---|
| NetScaler ADC and NetScaler Gateway 13.1 | Before 13.1-49.13 | 13.1-49.13 and later releases |
| NetScaler ADC and NetScaler Gateway 13.0 | Before 13.0-91.13 | 13.0-91.13 and later |
| NetScaler ADC 13.1-FIPS | Before 13.1-37.159 | 13.1-37.159 and later |
| NetScaler ADC 12.1-FIPS | Before 12.1-55.297 | 12.1-55.297 and later |
| NetScaler ADC 12.1-NDcPP | Before 12.1-55.297 | 12.1-55.297 and later |
Citrix also notes that NetScaler ADC and NetScaler Gateway versions 12.1 is End of Life (EOL), and users are urged to upgrade to a supported version immediately.
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
On July 20, the Cybersecurity and Infrastructure Security Agency (CISA) released Cybersecurity Advisory (CSA) AA23-201A with further details on the tactics, techniques, and procedures (TTPs) of a threat actor that exploited CVE-2023-3519. This CSA includes information that can aid incident responders and also provides MITRE ATT&CK IDs. The CSA makes note that this threat actor planted a webshell on the impacted victims NetScaler ADC appliance and used this webshell to collect and exfiltrate Active Directory (AD) data. The attacker then attempted to move laterally to a domain controller. We recommend reviewing this CSA for further information to aid in incident response activity if you suspect your organization may have been impacted by this vulnerability.
On September 6, CISA released an update to CSA AA23-201A with additional information, including newly observed TTPs and indicators of compromise (IOCs).
Get more information
- Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467
- CISA Cybersecurity Advisory AA23-201A: Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Change Log
Update September 6: The blog has been updated to include additional information from CISA in an update to a previously released cybersecurity advisory.
Update July 21: The blog has been updated to include a link to a Cybersecurity Advisory with additional details on the exploitation of CVE-2023-3519, including information that can aid incident responders.
Related Articles
Microsoft’s November 2024 Patch Tuesday Addresses 87 CVEs (CVE-2024-43451, CVE-2024-49039)
November 12, 2024Microsoft addresses 87 CVEs and one advisory (ADV240001) in its November 2024 Patch Tuesday release, with four critical vulnerabilities and four zero-day vulnerabilities, including two that were exploited in the wild.
Context Is King: From Vulnerability Management to Exposure Management
November 7, 2024Vulnerability management remains a cornerstone of preventive cybersecurity, but organizations still struggle with vulnerability overload and sophisticated threats. Tenable’s new Exposure Signals gives security teams comprehensive context, so they can shift from vulnerability management to exposure management and effectively prioritize high-risk exposures across their complex attack surface.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
Microsoft’s November 2024 Patch Tuesday Addresses 87 CVEs (CVE-2024-43451, CVE-2024-49039)
November 12, 2024Microsoft addresses 87 CVEs and one advisory (ADV240001) in its November 2024 Patch Tuesday release, with four critical vulnerabilities and four zero-day vulnerabilities, including two that were exploited in the wild.
Cybersecurity Snapshot: CISA Warns of Global Spear-Phishing Threat, While OWASP Releases AI Security Resources
November 8, 2024CISA is warning about a spear-phishing campaign that spreads malicious RDP files. Plus, OWASP is offering guidance about deepfakes and AI security. Meanwhile, cybercriminals have amplified their use of malware for fake software-update attacks. And get the latest on CISA’s international plan, Interpol’s cyber crackdown and ransomware trends.
Context Is King: From Vulnerability Management to Exposure Management
November 7, 2024Vulnerability management remains a cornerstone of preventive cybersecurity, but organizations still struggle with vulnerability overload and sophisticated threats. Tenable’s new Exposure Signals gives security teams comprehensive context, so they can shift from vulnerability management to exposure management and effectively prioritize high-risk exposures across their complex attack surface.
- Exposure Management
- Vulnerability Management
- Exposure Management