Citrix strongly urges users to patch vulnerabilities in NetScaler products

Citrix is urging users of its NetScaler Application Delivery Controller (ADC) and Gateway products to update to the latest versions as soon as possible to address three security vulnerabilities.

Citrix released the patches amid reports that the most severe of the three vulnerabilities, CVE-2023-3519, which allows remote code execution without authentication, is actively being exploited in the wild. It’s believed that an exploit for CVE-2023-3519, advertised on a hacker forum on July 6, 2023, is the active exploitation Citrix referenced in its statement.

Ad for Citrix RCE exploit (Source: Bleeping Computer)

Fortunately, the exploit only works if the vulnerable appliance is configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication virtual server, which reduces the number of potentially exploitable devices.

The two other vulnerabilities, designated CVE-2023-3466 and CVE-2023-3467, both have high severity scores. CVE-2023-3466 is a reflected cross-site scripting (XSS) issue that can be exploited if a victim loads a link from an attacker in their browser and the vulnerable appliance is reachable from the same network. CVE-2023-3467 allows an attacker with authenticated access to the appliance’s IP address or management interface to elevate privileges to those of a root administrator.

Source: Bleeping Computer

Analysis

Citrix’s large product suite is deployed widely throughout the world (see below) and has a history of being exploited by nation-state actors and cybercriminals alike, sometimes with deadly consequences.

Scan results for Citrix's devices (Source: Shodan.io)

In 2020, a ransomware attack exploiting Citrix vulnerability CVE-2019-19781 on the University Hospital of Dusseldorf resulted in the death of a patient due to the loss of availability of hospital systems. Also in 2020, the ransomware group Sodinokibi used CVE-2019-19781 to compromise GEDIA Automotive Group, a German automobile manufacturer, and later sold GEDIA’s data and access to the compromised servers on the dark web.

Ransomware groups DoppelPaymer, Ragnarok, Nemty, and Maze are also known to leverage CVE-2019-19781.

CVE-2019-19781 is also popular among state-sponsored actors. For example, APT 29, a group attributed to Russia’s Foreign Intelligence Service (SVR), took advantage of CVE-2019-19781 and other flaws in NetScaler ADC and Gateway to perform arbitrary code execution and deploy various malicious payloads, leading to the compromise of sensitive information and data.

All these attacks took place after Citrix had released a patch to fix CVE-2019-19781, underscoring the importance of patching systems in a timely manner.

Mitigation

Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in devices and software like Citrix NetScaler. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software and devices are detected in their environment and are encouraged to review these AROs as quickly as possible.

Given that gateways, VPNs, and network controllers are popular targets for hackers, it’s extremely important to ensure that these systems are not only patched, but tested regularly for unknown vulnerabilities, misconfigurations, rogue user accounts, and other signs of compromise.

Field Effect strongly encourages users of NetScaler ADC and Gateway to update to the latest version soon as possible.

References

• Russia-linked APT 29 changes TTPs following April advisories

• Blog: 12 Vulnerabilities of Christmas CVE-2019-19781