Project Hyphae
Search

Citrix NetScaler ADC and Gateway zero-day

Share This Post

UPDATE 8/21/2023

As is noted in this article, the need to threat-hunt remains after patching. An estimated 2000 Citrix Netscalers have been found containing web shells (attacker persistence) AFTER the patch for CVE-2023-3519 has been applied. The presence of these web shells will allow an attacker to maintain access to the impacted environment for further attacks.

Source: https://www.techrepublic.com/article/citrix-netscalers-compromised/

———–

On July 18th 2023, Citrix announced 3 vulnerabilities for Citrix ADC and Citrix Gateway. One vulnerability in particular has been awarded a critical severity score of 9.8. CVE-2023-3519 and is obviously the most dangerous as evidenced by the CVSS score, but all three should be patched immediately as they are a Cross-Site Scripting vulnerability, Privilege Escalation vulnerability, and a Remote Code Execution vulnerability.

With the Remote Code Execution vulnerability (CVE-2023-3519) this may bring back some not-so-fond memories of early 2020 when the ADC line faced another huge, and widely exploited, vulnerability. It’s unclear at this time if this vulnerability is on the same level as the previous one in 2020, but it should be taken seriously.

Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog

CVE-2023-3519 has been added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities Catalog (KEV). CISA requires Federal Civilian Executive Branch (FCEB agencies to have the CVE-2023-3519 remediated by August 9th, 2023. Although your organization may not fall under these requirements, CISA’s KEV requirements are a good gauge for your organization to use for prioritized vulnerability management remediation guidance. We would recommend patching much sooner than August 9th, patch ASAP.

CTX561482

CVE IDAffected ProductsDescriptionPre-requisitesCWECVSS
CVE-2023-3466Citrix ADC, Citrix GatewayReflected Cross-Site Scripting (XSS)Requires victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NSIPCWE-208.3
CVE-2023-3467Citrix ADC, Citrix GatewayPrivilege Escalation to root administrator (nsroot)Authenticated access to NSIP or SNIP with management interface accessCWE-2698
CVE-2023-3519Citrix ADC, Citrix GatewayUnauthenticated remote code executionAppliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual serverCWE-949.8

Citrix encourages customers to update Citrix NetScaler infrastructure as soon as possible to mitigate the vulnerability. Patches have been made available for the versions found below:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS, and
  • NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Customers of NetScaler ADC and NetScaler Gateway version 12.1 are recommended to upgrade their appliances to a supported version to mitigate potential threats.

IOCs

IOCValue
URLhttp://216[.]41[.]162[.]172/
IPv4216[.]51[.]171[.]17
IPv4216[.]41[.]162[.]172
FileHash-SHA2560a2aee389e5767865b4a3f83e267282d92316b37c5288ae3786e2826d576debd
FileHash-SHA2560a2529663e7257145ca303183937b0f6b4cee4c9cbdab665ad87fe4171f77551
FileHash-SHA25609f1d0b08c0edb21c790ad4600dc6ddb675cb117a8f8ca3d4d34e98987235189
FileHash-SHA256094abf4f608897bb1019e0f400669af6573c298ce0a9fc9ee3fd3490a12a31ab
FileHash-SHA25608aa3b10a414da6a4688a6217e318a7fa424ffc28a687f269bbc38a4beedc367
FileHash-SHA256054133de423a35ac98311cb0fb6b39ea1bc912be6a89b9a865ce1a0c68c82527
FileHash-SHA256052d45e86f5df1da0e0ebeaf166cb2f69b7e710dfd0ffd3fb9507085cd554183
FileHash-SHA25604bff9011fe3dcaf891dd712b74dab4e0405bbcafb2122c8a130395145f562fa
FileHash-SHA256048e35dd9cb3d2ccb5b75e2f56e0558cf8343d8a0409127fc89611d75acceb08
FileHash-SHA25603d5b4a245c0f3d7e772a8ef61d199ebc669d5579efb18e6ef494830f3acae0e
FileHash-SHA25603b535715258bcd3f36e78df21d624109b4d3b06a24317f457237eb58f41af53
FileHash-SHA25602dca1285db9cb5b96d51fd8ff64f25d023802fb18118888a67793a3b6351cda
FileHash-SHA256025dc5978ec1526d62cc44c58600435ead5aa5d11a65abd6d4164a6bce93f422
FileHash-SHA2560238a7397d84f89b98cd66db267d8af52ff134ac79bfe4196d32b0aaf6534449
FileHash-SHA256018da4d625c47f767e8765c59626b522e7a2eec3788062651070b83e49c0a514
FileHash-SHA256017c1b29cc9e28ddc5615617d9b08bba0c142a2382533bf8e19f6e038483d209
FileHash-SHA256014477c82102597689066df18380f2ac84998ccdacf3833add2bb223dfd512d0
FileHash-SHA25600784b34eb89b255742ff13ea41eb2e5cdd444a7d0053eabb247925b2c551252
FileHash-SHA256006c6049c0f963296bd33e292624dbb26c0e8e843336bbc367adedd30cfce5e3
FileHash-SHA256005fc826c50e406b34abf5c86a8b9f3dee2791ec0783d50415015188f4f566f6
FileHash-SHA1f6dbb0c927f1d9245dbc4eb7e1e84de28361ef86
FileHash-SHA1eccab5d21fd1fc9f4c61e310aa23948fe4d23471
FileHash-SHA1ac6423fbf9529fd31a75bda9788f7654461b7553
FileHash-SHA1907ac9fbde885c2cc3a5fb6ac4933d068b9ecd31
FileHash-SHA13b9bdae9a850571db3f4c4e6ec37ba06cd9dad55
FileHash-MD5e4b1d1ac6aa4154f3024985cdfaf676c
FileHash-MD5c276eedd8bf709444ba371a0178e3e44
FileHash-MD5768f643512502329b5f4ca17d457d8ba
FileHash-MD559ee97f0d4ef8aa90ce2daf48d42c670
FileHash-MD50e21c206eee88e04403acc4d239b3016

https://www.virustotal.com/graph/g6a29f00ad5d54977bb9009805fe5c388d855fdd557e949ffb9904390f62d9a84

As always, the first step is to get these patches in place. However, as we usually see, most folks aren’t thinking about threat-hunting even after the patch is applied. In general, these widely publicized vulnerabilities are exploited quickly with attackers leaving behind persistence mechanisms that will allow access even after patching. So, once you patch, begin threat hunting. Look for indicators of compromise, files that may have been newly created, logins from suspicious locations, etc.

Once more details on post-exploitation activity have been made public, FRSecure will update this post to assist with threat hunting.

Sources:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3519

https://nvd.nist.gov/vuln/detail/CVE-2023-3519

https://thehackernews.com/2023/07/zero-day-attacks-exploited-critical.html

https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

https://www.bleepingcomputer.com/news/security/new-critical-citrix-adc-and-gateway-flaw-exploited-as-zero-day/



Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.