Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway
On July 19, 2023, Citrix issued a warning about a critical security vulnerability affecting its NetScaler Application Delivery Controller (ADC) and Gateway products. The vulnerability, known as CVE-2023-3519 (with a CVSS score of 9.8), involves a code injection issue that is actively being exploited in the wild.
The flaw allows for unauthenticated remote code execution, posing a significant risk to affected systems. The impacted versions include:
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC and NetScaler Gateway version 12.1 (which is currently end-of-life)
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
Citrix has not provided extensive details about the specific nature of the vulnerability associated with CVE-2023-3519. However, they have confirmed that exploits for this flaw have been detected on devices that have not implemented any mitigations.
To successfully exploit this vulnerability, the affected device must be configured as either a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an authorization and accounting (AAA) virtual server.
Given the severity of this vulnerability and the active exploitation, Citrix users should take immediate action to update their affected NetScaler ADC and Gateway versions to the latest available patches or apply any mitigations recommended by the vendor. Failure to do so could leave their systems exposed to potential remote code execution and unauthorized access.
Accompanying the CVE-2023-3519 vulnerability, two other bugs have also been addressed:
- CVE-2023-3466 (CVSS score: 8.3) - This flaw involves improper input validation, leading to a reflected cross-site scripting (XSS) attack.
- CVE-2023-3467 (CVSS score: 8.0) - This vulnerability pertains to improper privilege management, resulting in privilege escalation to the root administrator (nsroot).
These bugs were reported by Wouter Rijkbost and Jorren Geurts of Resillion. Citrix has released patches to rectify the three vulnerabilities in the following versions of their products:
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and subsequent releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of version 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of the FIPS version 13.1
- NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of the FIPS version 12.1
- NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of the NDcPP version 12.1
For users running NetScaler ADC and NetScaler Gateway version 12.1, it is advised to upgrade to a supported version to minimize potential threats.
This update on Citrix's security vulnerabilities coincides with the active exploitation of security flaws in Adobe ColdFusion (CVE-2023-29298 and CVE-2023-38203) and the WooCommerce Payments WordPress plugin (CVE-2023-28121).
Leaving security flaws unaddressed in WordPress plugins could expose websites to complete compromise, enabling malicious actors to repurpose the compromised sites for further malicious activities. In a recent attack campaign called Nitrogen, eSentire disclosed that infected WordPress sites were utilized to host malicious ISO image files. When launched, these files led to the deployment of rogue DLL files capable of connecting to a remote server to fetch additional payloads, including Python scripts and Cobalt Strike.
Comments
Post a Comment