Cybersecurity blog header

CVE-2023-3519: 0-day vulnerability exploited the wild in Citrix NetScaler

CVE-2023-3519 allows unauthenticated remote code execution on affected systems.

On July 18, 2023, Citrix released information and updates to address a critical vulnerability (CVE-2023-3519) in NetScaler ADC and NetScaler Gateway.  This vulnerability allows unauthenticated remote code execution on affected systems.

In addition, two other vulnerabilities, Cross-Site-Scripting (CVE-2023-3466) and elevation of privilege (CVE-2023-3467), have been patched in the updates.

Citrix NetScaler ADC is an Application Delivery Controller built to optimize, manage and protect Layer 4 to Layer 7 (L4-L7) network traffic.

Although no specific details about the vulnerability have been published, it has been known that it is being actively exploited, so an urgent update of the affected assets is needed.

CVE-2023-3519 main characteristics

The following are the key characteristics of this vulnerability:

  • CVE Identifier: CVE-2023-3519
  • CVSS Value: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • Publication Date: 18/07/2023
  • Affected Software: NetScaler ADC and NetScaler Gateway
  • Affected Versions:
    • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
    • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
    • NetScaler ADC 13.1-FIPS 1 before 13.1-37.159
    • NetScaler ADC 12.1-FIPS 1 before 12.1-55.297
    • NetScaler ADC 12.1-NDcPP 1 before 12.1-55.297

Mitigation

The vendor has released an official advisory recommending to upgrade the software to any of the supported versions:

  • • NetScaler ADC y NetScaler Gateway 13.1-49.13 and above.
  • • NetScaler ADC y NetScaler Gateway 13.0-91.13 and above 13.0.
  • • NetScaler ADC 13.1-FIPS 13.1-37.159 and above 13.1-FIPS.
  • • NetScaler ADC 12.1-FIPS 12.1-55.297 and above 12.1-FIPS.

Important! There are no patches for NetScaler (Citrix ADC) version 12.1 or earlier. These systems have reached their end-of-life and therefore patching will not be performed. In this case, you must upgrade to the latest version 13.0 or 13.1.

Indicators of compromise

Since its exploitation has been seen in the wild, certain indicators of compromise have been published to help auditors and threat hunters detect previous intrusions:

  • Origin IP addresses:
    • 216.41.162.172
    • 216.51.171.17

In addition, a preliminary guide to investigate possible intrusions has been unofficially published.

Detection of the vulnerability

No details have been released about the exploitation of the vulnerability CVE-2023-3519. That’s why it is only possible to rely in the application self-reported version number to check if an instance is vulnerable.

As part of their emerging vulnerabilities service, Tarlogic Security proactively monitors their clients’ perimeter to promptly inform, detect, and notify the presence of this vulnerability, as well as other critical threats that could have a severe impact on asset security.

References