As is noted in this article, the need to threat-hunt remains after patching. An estimated 2000 Citrix Netscalers have been found containing web shells (attacker persistence) AFTER the patch for CVE-2023-3519 has been applied. The presence of these web shells will allow an attacker to maintain access to the impacted environment for further attacks.
On July 18th 2023, Citrix announced 3 vulnerabilities for Citrix ADC and Citrix Gateway. One vulnerability in particular has been awarded a critical severity score of 9.8. CVE-2023-3519 and is obviously the most dangerous as evidenced by the CVSS score, but all three should be patched immediately as they are a Cross-Site Scripting vulnerability, Privilege Escalation vulnerability, and a Remote Code Execution vulnerability.
With the Remote Code Execution vulnerability (CVE-2023-3519) this may bring back some not-so-fond memories of early 2020 when the ADC line faced another huge, and widely exploited, vulnerability. It’s unclear at this time if this vulnerability is on the same level as the previous one in 2020, but it should be taken seriously.
Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog
CVE-2023-3519 has been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities Catalog (KEV). CISA requires Federal Civilian Executive Branch (FCEB agencies to have the CVE-2023-3519 remediated by August 9th, 2023. Although your organization may not fall under these requirements, CISA’s KEV requirements are a good gauge for your organization to use for prioritized vulnerability management remediation guidance. We would recommend patching much sooner than August 9th, patch ASAP.
|CVE ID||Affected Products||Description||Pre-requisites||CWE||CVSS|
|CVE-2023-3466||Citrix ADC, Citrix Gateway||Reflected Cross-Site Scripting (XSS)||Requires victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NSIP||CWE-20||8.3|
|CVE-2023-3467||Citrix ADC, Citrix Gateway||Privilege Escalation to root administrator (nsroot)||Authenticated access to NSIP or SNIP with management interface access||CWE-269||8|
|CVE-2023-3519||Citrix ADC, Citrix Gateway||Unauthenticated remote code execution||Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server||CWE-94||9.8|
Citrix encourages customers to update Citrix NetScaler infrastructure as soon as possible to mitigate the vulnerability. Patches have been made available for the versions found below:
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS, and
- NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
Customers of NetScaler ADC and NetScaler Gateway version 12.1 are recommended to upgrade their appliances to a supported version to mitigate potential threats.
As always, the first step is to get these patches in place. However, as we usually see, most folks aren’t thinking about threat-hunting even after the patch is applied. In general, these widely publicized vulnerabilities are exploited quickly with attackers leaving behind persistence mechanisms that will allow access even after patching. So, once you patch, begin threat hunting. Look for indicators of compromise, files that may have been newly created, logins from suspicious locations, etc.
Once more details on post-exploitation activity have been made public, FRSecure will update this post to assist with threat hunting.