By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence
Cloud-computing company Citrix has begun alerting customers as to a critical vulnerability in its Netscaler ADC and NetScaler gateway applications. CVE-2023-3519 has been observed being exploited in the wild, and all users of the affected applications are being urged to ensure recent updates and patches are installed.
For a threat actor to utilise this vulnerability, a vulnerable appliance would need to be configured as a gateway (e.g. CVPN, ICA Proxy, RDP Proxy, VPN virtual server) or as an authentication virtual server (AAA server)
Identified through our OSINTSEARCH tool, exploits against Citrix ADC have been discussed, including the sale of a Remote Code Execution (RCE) exploit, on the cybercrime forum XSS:
And with translation…
Citrix strongly advises its customers to switch to updated versions that fixes this issue:
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP
The company notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage and customers should upgrade to a newer variant of the product.
Citrix customers can begin researching any potential compromise by identifying web shells that are newer than the last installation date of Citrix software. HTTP error logs may also reveal anomalies indicative of initial exploitation. SysAdmins should also review shell logs for any unexpected commands, which may be indicative of the post-exploitation phase of an attack.