- How to Become a Chief Information Officer: CIO Cheat Sheet
- 3 handy upgrades in MacOS 15.1 - especially if AI isn't your thing (like me)
- Your Android device is vulnerable to attack and Google's fix is imminent
- Microsoft's Copilot AI is coming to your Office apps - whether you like it or not
- How to track US election results on your iPhone, iPad or Apple Watch
CVE-2023-3519: Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)
Citrix has released a patch fixing a remote code execution vulnerability in several versions of Netscaler ADC and Netscaler Gateway that has been exploited. Organizations are urged to patch immediately.
Background
On July 18, Citrix published a security bulletin (CTX561482) that addresses a critical remote code execution (RCE) vulnerability in Netscaler ADC (formerly known as Citrix ADC) and and Netscaler Gateway (formerly known as Citrix Gateway).
CVE | Description | CVSSv3 | Severity |
---|---|---|---|
CVE-2023-3519 | Unauthenticated Remote Code Execution vulnerability | 9.8 | Critical |
In addition to CVE-2023-3519, Citrix patched two additional vulnerabilities in its ADC and Gateway appliances:
CVE | Description | CVSSv3 | Severity |
---|---|---|---|
CVE-2023-3466 | Reflected Cross-Site Scripting (XSS) vulnerability | 8.3 | High |
CVE-2023-3467 | Privilege Escalation to root administrator (nsroot) vulnerability | 8.0 | High |
Analysis
CVE-2023-3519 is a RCE vulnerability in Netscaler ADC and Netscaler Gateway. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary code on a vulnerable server. For a target appliance to be vulnerable to exploitation, it must be configured as a Gateway (e.g. VPN, ICA Proxy, CVP, RDP Proxy) or an AAA virtual server. The vulnerability is rated as critical and Citrix reports that “Exploits of CVE-2023-3519 on unmitigated appliances have been observed.”
ADC and Gateway Historically Targeted by Attackers
Citrix’s ADC and Gateway appliances have been a valuable target for attackers in the past. For instance,in December 2022, Citrix patched another critical RCE vulnerability, CVE-2022-27518, in Citrix ADC and Gateway, that was also being exploited.
Following the disclosure of CVE-2019-19781, another unauthenticated RCE vulnerability in ADC and Gateway appliances in late 2019, active exploitation began in early 2020 and it remained a popular vulnerability with a variety of attackers including Chinese state-sponsored threat actors, Iranian-based threat actors, Russian state-sponsored threat groups as well as ransomware groups. Additionally, CVE-2019-19781 was featured as one of the Top 5 vulnerabilities in our 2020 Threat Landscape Retrospective report.
Due to the historical nature of exploitation against ADC and Gateway appliances, we strongly urge organizations to patch CVE-2023-3519 as soon as possible.
Proof of concept
At the time that this blog post was published, there was no proof-of-concept available for CVE-2023-3519.
Solution
Citrix detailed the affected and fixed versions in its security bulletin for CVE-2023-3519.
Affected Product | Affected Version | Fixed Version |
---|---|---|
NetScaler ADC and NetScaler Gateway 13.1 | Before 13.1-49.13 | 13.1-49.13 and later releases |
NetScaler ADC and NetScaler Gateway 13.0 | Before 13.0-91.13 | 13.0-91.13 and later |
NetScaler ADC 13.1-FIPS | Before 13.1-37.159 | 13.1-37.159 and later |
NetScaler ADC 12.1-FIPS | Before 12.1-55.297 | 12.1-55.297 and later |
NetScaler ADC 12.1-NDcPP | Before 12.1-55.297 | 12.1-55.297 and later |
Citrix also notes that NetScaler ADC and NetScaler Gateway versions 12.1 is End of Life (EOL), and users are urged to upgrade to a supported version immediately.
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.