Thousands of Netscaler Servers Exposed To Critical Remote Execution Bug
Shadowserver Researchers Issue Warning
Overt Operator
July 24, 2023
T
Security researchers from the non-profit organization Shadowserver Foundation have warned that thousands of Citrix Netscaler ADC and Gateway servers remain exposed online and vulnerable to attacks exploiting a critical remote code execution (RCE) bug. This bug was previously abused as a zero-day, an exploit that takes advantage of a vulnerability unknown to those who should be interested in mitigating the vulnerability.
The researchers identified at least 15,000 appliances exposed to attacks leveraging the flaw (CVE-2023-3519), based on their version information. "All instances that still provide version hashes have not been updated and may be vulnerable," Shadowserver pointed out. They also acknowledged a potential undercounting, as certain revisions known to be vulnerable but lacking version hashes have not been included in the total tally of exposed Citrix servers.
Citrix issued security updates to address this RCE vulnerability on July 18th, acknowledging the exploitation of unmitigated appliances and urging customers to install the patches immediately. Citrix added that unpatched Netscaler appliances configured as gateways or as authentication virtual servers (AAA servers) are susceptible to attacks.
The CVE-2023-3519 RCE zero-day was potentially available online since early July, when a threat actor advertised the Citrix ADC zero-day flaw on a hacker forum. BleepingComputer revealed that Citrix had been working on a patch before officially disclosing the vulnerability.
On the same day, Citrix rectified two other high-severity vulnerabilities known as CVE-2023-3466 and CVE-2023-3467. The former enables attackers to launch cross-site scripting (XSS) attacks via a malicious link, while the latter allows privilege elevation to gain root permissions. However, the latter requires authenticated access to the vulnerable appliances' management interface.
In response to these vulnerabilities, the Cybersecurity and Infrastructure Security Agency (CISA) issued a directive on Wednesday for U.S. federal agencies to secure their Citrix servers by August 9th. The CISA warning came following a breach on the systems of a U.S. critical infrastructure organization, which exploited this vulnerability as a zero-day.
"In June 2023, threat actors exploited this vulnerability to drop a webshell on a critical infrastructure organization's NetScaler ADC appliance," CISA disclosed in an advisory. "The webshell allowed the actors to explore the victim's active directory (AD) and collect and exfiltrate AD data."