overview
Citrix has issued an advisory warning customers about a critical-severity vulnerability (CVE-2023-3519) affecting NetScaler ADC and NetScaler Gateway products. The vulnerability has a CVSS score of 9.8, and it allows remote code execution without the need for authentication. As a result, attackers could exploit this flaw to compromise vulnerable appliances.
According to Citrix, the vulnerability can be used by attackers targeting NetScaler appliances configured as gateways (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication virtual servers (also known as AAA servers). Exploits for this vulnerability have already been observed in the wild.
To protect systems from potential attacks, Citrix strongly urges its customers to update their NetScaler ADC and NetScaler Gateway to the following versions:
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases.
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0.
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS.
- NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS.
- NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP.
It's important to note that versions 12.1 of the above products have reached end-of-life, and users are strongly advised to upgrade to newer versions for continued support. Organizations using Citrix NetScaler ADC and NetScaler Gateway should take immediate action to protect their systems.
avertium's recommendationS
- In case of a suspected compromise, investigating for web shells installed after the last installation date and analyzing HTTP error logs for anomalies can be helpful.
- Administrators can check shell logs for unusual commands used in the post-exploitation phase.
- For the most up-to-date information and guidance, please refer to Citrix's security advisories.
INDICATORS OF COMPROMISE (IoCs)
At this time, there are no known IoCs associated with CVE-2023-3519. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.
How Avertium is Protecting Our CUSTOMERS
- Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
- Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior.
SUPPORTING DOCUMENTATION