Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2023-3519: Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)

Citrix patches critical remote code execution flaw (CVE-2023-3519) in NetScaler ADC and Gateway appliances that was exploited in the wild
CVE-2023-3519: Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)

Citrix has released a patch fixing a remote code execution vulnerability in several versions of Netscaler ADC and Netscaler Gateway that has been exploited. Organizations are urged to patch immediately.

Update September 6: The blog has been updated to include additional information from CISA in an update to a previously released cybersecurity advisory.

View Change Log

Background

On July 18, Citrix published a security bulletin (CTX561482) that addresses a critical remote code execution (RCE) vulnerability in Netscaler ADC (formerly known as Citrix ADC) and and Netscaler Gateway (formerly known as Citrix Gateway).

CVE Description CVSSv3 Severity
CVE-2023-3519 Unauthenticated Remote Code Execution vulnerability 9.8 Critical

In addition to CVE-2023-3519, Citrix patched two additional vulnerabilities in its ADC and Gateway appliances:

CVE Description CVSSv3 Severity
CVE-2023-3466 Reflected Cross-Site Scripting (XSS) vulnerability 8.3 High
CVE-2023-3467 Privilege Escalation to root administrator (nsroot) vulnerability 8.0 High

Analysis

CVE-2023-3519 is a RCE vulnerability in Netscaler ADC and Netscaler Gateway. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary code on a vulnerable server. For a target appliance to be vulnerable to exploitation, it must be configured as a Gateway (e.g. VPN, ICA Proxy, CVP, RDP Proxy) or an AAA virtual server. The vulnerability is rated as critical and Citrix reports that “Exploits of CVE-2023-3519 on unmitigated appliances have been observed.”

ADC and Gateway Historically Targeted by Attackers

Citrix’s ADC and Gateway appliances have been a valuable target for attackers in the past. For instance,in December 2022, Citrix patched another critical RCE vulnerability, CVE-2022-27518, in Citrix ADC and Gateway, that was also being exploited.

Following the disclosure of CVE-2019-19781, another unauthenticated RCE vulnerability in ADC and Gateway appliances in late 2019, active exploitation began in early 2020 and it remained a popular vulnerability with a variety of attackers including Chinese state-sponsored threat actors, Iranian-based threat actors, Russian state-sponsored threat groups as well as ransomware groups. Additionally, CVE-2019-19781 was featured as one of the Top 5 vulnerabilities in our 2020 Threat Landscape Retrospective report.

Due to the historical nature of exploitation against ADC and Gateway appliances, we strongly urge organizations to patch CVE-2023-3519 as soon as possible.

Proof of concept

At the time that this blog post was published, there was no proof-of-concept available for CVE-2023-3519.

Solution

Citrix detailed the affected and fixed versions in its security bulletin for CVE-2023-3519.

Affected Product Affected Version Fixed Version
NetScaler ADC and NetScaler Gateway 13.1 Before 13.1-49.13 13.1-49.13 and later releases
NetScaler ADC and NetScaler Gateway 13.0 Before 13.0-91.13 13.0-91.13 and later
NetScaler ADC 13.1-FIPS Before 13.1-37.159 13.1-37.159 and later
NetScaler ADC 12.1-FIPS Before 12.1-55.297 12.1-55.297 and later
NetScaler ADC 12.1-NDcPP Before 12.1-55.297 12.1-55.297 and later

Citrix also notes that NetScaler ADC and NetScaler Gateway versions 12.1 is End of Life (EOL), and users are urged to upgrade to a supported version immediately.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

On July 20, the Cybersecurity and Infrastructure Security Agency (CISA) released Cybersecurity Advisory (CSA) AA23-201A with further details on the tactics, techniques, and procedures (TTPs) of a threat actor that exploited CVE-2023-3519. This CSA includes information that can aid incident responders and also provides MITRE ATT&CK IDs. The CSA makes note that this threat actor planted a webshell on the impacted victims NetScaler ADC appliance and used this webshell to collect and exfiltrate Active Directory (AD) data. The attacker then attempted to move laterally to a domain controller. We recommend reviewing this CSA for further information to aid in incident response activity if you suspect your organization may have been impacted by this vulnerability.

On September 6, CISA released an update to CSA AA23-201A with additional information, including newly observed TTPs and indicators of compromise (IOCs).

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Change Log

Update September 6: The blog has been updated to include additional information from CISA in an update to a previously released cybersecurity advisory.

Update July 21: The blog has been updated to include a link to a Cybersecurity Advisory with additional details on the exploitation of CVE-2023-3519, including information that can aid incident responders.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.