Zero-Day Attacks Exploit Critical Vulnerabilities in Citrix ADC and Gateway
Citrix is remind users of a critical security flaw in the NetScaler Application Delivery Controller (ADC) and Gateway that it says is being actively exploited in the wild.
tracked as CVE-2023-3519 (CVSS score: 9.8), problem related to case code injection which can result in unauthenticated remote code execution. This impacts the following versions –
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC and NetScaler Gateway version 12.1 (currently end of life)
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55297, and
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
The company did not provide further details about the flaw related to CVE-2023-3519 other than saying that an exploit for the flaw had been observed on “unmitigated equipment”. However, successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual servers.
Also handled alongside CVE-2023-3519 are two other bugs –
- CVE-2023-3466 (CVSS Score: 8.3) – Improper input validation vulnerability resulting in cross-site scripting (XSS) attacks is reflected
- CVE-2023-3467 (CVSS score: 8.0) – Improper privilege management vulnerability resulting in privilege escalation to administrator root (nsroot)
Wouter Rijkbost and Jorren Geurts of Resillion have been credited with reporting CVE-2023-3467. A patch has been made available to address three flaws in the below versions –
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and the latest release 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55297 and later releases 12.1-FIPS, and
- NetScaler ADC 12.1-NDcPP 12.1-55297 and later releases of 12.1-NDcPP
NetScaler ADC and NetScaler Gateway version 12.1 customers are advised to upgrade their devices to a supported version to mitigate potential threats.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
The development comes amid active exploitation of a security flaw found in Adobe ColdFusion (CVE-2023-29298 and CVE-2023-38203) and the WooCommerce Payments WordPress plugin (CVE-2023-28121).
Leaving a security flaw in a WordPress plugin can open the door to complete compromises, allowing threat actors to reuse compromised WordPress sites for other malicious activities.
Last month, eSentire revealed a dubbed attack campaign Nitrogen where infected WordPress sites have been used to host malicious ISO image files which, when launched, result in the deployment of rogue DLL files capable of contacting remote servers to fetch additional payload, including Python and Cobalt Strike scripts.
CVE-2023-3519 Added to CISA KEV Catalog
The US Cyber Security and Infrastructure Agency (CISA) on Wednesday added disabled Citrix remote code execution to Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. For this reason, the Federal Civilian Executive Branch (FCEB) agencies are required to address the issue no later than August 9, 2023, to secure their network from potential threats.
