CVE-2023-3519: Critical Zero-Day Vulnerability in Citrix ADC and Gateway

CVE-2023-3519

Today, Citrix, the well-regarded networking solutions provider, shook the cyber security world with a cautionary announcement: they had discovered three new vulnerabilities. These security loopholes, located within their NetScaler ADC and NetScaler Gateway product lines, pose a serious risk to companies worldwide, potentially exposing crucial systems to dangerous exploits.

Among the disclosed vulnerabilities, CVE-2023-3519 holds the dubious distinction of being the most critical. This alarming flaw enables unauthenticated attackers to execute code remotely on vulnerable systems configured as a Gateway. To understand the magnitude of the threat, it’s important to recognize that CVE-2023-3519 has already been exploited in the wild.

Understanding the Vulnerabilities

1. CVE-2023-3466 (CVSS score of 8.3) – This vulnerability is known as a “Reflected XSS vulnerability”. Successful exploitation of this vulnerability requires the victim to access a specific link controlled by an attacker while on a network with connectivity to the NetScaler IP (NSIP).

2. CVE-2023-3467 (CVSS score of 8) – This vulnerability allows for privilege escalation up to the root administrator level (nsroot). It essentially enables an attacker to gain total control of the system and perform any action without limitation.

3. CVE-2023-3519 (CVSS score of 9.8) – The most severe of the three, this vulnerability allows unauthenticated remote code execution. Note that for this vulnerability to be exploited, the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

Affected Citrix Products and Recommendations

The following Citrix products are reportedly vulnerable to these exploits:

– NetScaler ADC and NetScaler Gateway 13.1 versions before 13.1-49.13
– NetScaler ADC and NetScaler Gateway 13.0 versions before 13.0-91.13
– NetScaler ADC 13.1-FIPS versions before 13.1-37.159
– NetScaler ADC 12.1-FIPS versions before 12.1-65.36
– NetScaler ADC 12.1-NDcPP versions before 12.65.36

Interestingly, Citrix has declared NetScaler ADC and NetScaler Gateway version 12.1 as End Of Life (EOL) and is vulnerable to these exploits. If your organization relies on this EOL version, Citrix strongly advises upgrading your appliances to one of the supported fixed versions below.

Citrix’s Countermeasures

Citrix has taken immediate steps to combat these vulnerabilities. All three CVEs are remediated in the following fixed product versions:

– NetScaler ADC and NetScaler Gateway 13.1-49.13 and subsequent releases
– NetScaler ADC and NetScaler Gateway 13.0-91.13  and subsequent releases of 13.0
– NetScaler ADC 13.1-FIPS 13.1-37.159 and subsequent releases of 13.1-FIPS
– NetScaler ADC 12.1-FIPS 12.1-65.36 and subsequent releases of 12.1-FIPS
– NetScaler ADC 12.1-NDcPP 12.1-65.36 and subsequent releases of 12.1-NDcPP.

It’s critical to remember that the cybersecurity landscape is continuously evolving, with attackers constantly seeking out and exploiting new vulnerabilities. Given the severity of these vulnerabilities and the fact that CVE-2023-3519 has already been spotted in the wild, it is of utmost importance that all organizations using the affected Citrix products take immediate action to secure their systems.