Citrix Gateway VPN is a popular solution for remote access and secure web applications. However, it is also vulnerable to a critical security flaw that allows unauthenticated attackers to execute arbitrary code on the appliance. This flaw, known as CVE-2023-3519, was discovered in July 2023 and exploited by threat actors as a zero-day to implant webshells on a critical infrastructure organization’s NetScaler ADC appliance.
CVE-2023-3519 affects the following versions of NetScaler ADC and NetScaler Gateway:
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End of Life (EOL) and is vulnerable.
The vulnerability exists in the Citrix Gateway Plugin for Windows, which is used to establish a secure connection between the client and the appliance. The plugin accepts user input without proper validation and passes it to a system command, resulting in code injection.
To exploit this vulnerability, an attacker must send a specially crafted HTTP request to the appliance that is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The attacker can then run commands of their choice on the appliance with root privileges.
According to CISA, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.
Citrix released a patch for this vulnerability on July 18, 2023. CISA strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible. CISA also provides detection methods and incident response recommendations for organizations that may have been compromised by this vulnerability.
How Defants vSIRT Can Help
CVE-2023-3519 is not the only vulnerability that affects Citrix products. In January 2020, Citrix disclosed another critical RCE vulnerability, CVE-2020-19781, that affected multiple versions of Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances. This vulnerability was also widely exploited by threat actors to compromise organizations across various sectors.
These incidents highlight the importance of timely patching and proactive incident response for organizations that use Citrix products or any other network devices that may expose them to cyberattacks.
To prevent cyberattacks, organizations should:
- Apply patches as soon as they are available from vendors.
- Monitor network traffic and logs for any suspicious or anomalous activity.
- Implement network segmentation and firewall rules to limit access to sensitive systems and data.
- Enforce strong authentication and authorization policies for remote access and web applications.
- Educate users and staff on how to avoid phishing emails and malicious links.
To respond to cyberattacks, organizations need a modern approach with a Managed CSIRT or a Security Incident Response Platform (SIRP), such as Defants vSIRT.
Defants vSIRT provides several benefits for incident response teams:
- It automates repetitive tasks such as data collection, enrichment, analysis, triage, compromised assets, and reporting.
- It integrates with various security tools and data sources collectors such as Kape, DFIR ORC, Velociraptor or EDRs (Endpoint Detection and Response), and in the next release with threat intelligence feeds.
- It enables collaboration among different teams and stakeholders such as analysts, managers, executives, legal, and PR through a centralized platform.
- It standardizes incident response processes and workflows based on best practices and industry frameworks such as NIST, MITRE ATT&CK.
With Defants vSIRT, incident responders can quickly detect and respond to CVE-2023-3519 exploitation and other cyberattacks. They can also leverage the platform’s capabilities to improve their security posture and resilience.
Defants vSIRT helps organizations reduce the time, cost, and impact of cyberattacks, while improving their security posture and resilience. It is a powerful ally in the fight against cyber threats.