CVE-2023-3519: Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)

Citrix has released a patch fixing a remote code execution vulnerability in several versions of Netscaler ADC and Netscaler Gateway that has been exploited. Organizations are urged to patch immediately.

Background

On July 18, Citrix published a security bulletin (CTX561482) that addresses a critical remote code execution (RCE) vulnerability in Netscaler ADC (formerly known as Citrix ADC) and and Netscaler Gateway (formerly known as Citrix Gateway).

In addition to CVE-2023-3519, Citrix patched two additional vulnerabilities in its ADC and Gateway appliances:

Analysis

CVE-2023-3519 is a RCE vulnerability in Netscaler ADC and Netscaler Gateway. A remote, unauthenticated attacker can exploit this vulnerability to execute arbitrary code on a vulnerable server. For a target appliance to be vulnerable to exploitation, it must be configured as a Gateway (e.g. VPN, ICA Proxy, CVP, RDP Proxy) or an AAA virtual server. The vulnerability is rated as critical and Citrix reports that “Exploits of CVE-2023-3519 on unmitigated appliances have been observed.”

ADC and Gateway Historically Targeted by Attackers

Citrix’s ADC and Gateway appliances have been a valuable target for attackers in the past. For instance,in December 2022, Citrix patched another critical RCE vulnerability, CVE-2022-27518, in Citrix ADC and Gateway, that was also being exploited.

Following the disclosure of CVE-2019-19781, another unauthenticated RCE vulnerability in ADC and Gateway appliances in late 2019, active exploitation began in early 2020 and it remained a popular vulnerability with a variety of attackers including Chinese state-sponsored threat actors, Iranian-based threat actors, Russian state-sponsored threat groups as well as ransomware groups. Additionally, CVE-2019-19781 was featured as one of the Top 5 vulnerabilities in our 2020 Threat Landscape Retrospective report.

Due to the historical nature of exploitation against ADC and Gateway appliances, we strongly urge organizations to patch CVE-2023-3519 as soon as possible.

Proof of concept

At the time that this blog post was published, there was no proof-of-concept available for CVE-2023-3519.

Solution

Citrix detailed the affected and fixed versions in its security bulletin for CVE-2023-3519.

Citrix also notes that NetScaler ADC and NetScaler Gateway versions 12.1 is End of Life (EOL), and users are urged to upgrade to a supported version immediately.

Identifying affected systems

A list of Tenable plugins to identify this vulnerability will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

On July 20, the Cybersecurity and Infrastructure Security Agency (CISA) released Cybersecurity Advisory (CSA) AA23-201A with further details on the tactics, techniques, and procedures (TTPs) of a threat actor that exploited CVE-2023-3519. This CSA includes information that can aid incident responders and also provides MITRE ATT&CK IDs. The CSA makes note that this threat actor planted a webshell on the impacted victims NetScaler ADC appliance and used this webshell to collect and exfiltrate Active Directory (AD) data. The attacker then attempted to move laterally to a domain controller. We recommend reviewing this CSA for further information to aid in incident response activity if you suspect your organization may have been impacted by this vulnerability.

On September 6, CISA released an update to CSA AA23-201A with additional information, including newly observed TTPs and indicators of compromise (IOCs).

Get more information

• Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467
• CISA Cybersecurity Advisory AA23-201A: Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.