Summary
A critical vulnerability, tracked as CVE-2023-3519 (NVD), has been identified in Citrix ADC and Gateway products. This vulnerability is currently being exploited in the wild and the rate of exploitation is expected to increase due to the popularity of the impacted products.
CISA has provided a detailed response here.
(Updated 24th July 2023)
Vulnerability Details
CVE-2023-3519 is a remote code execution (RCE) vulnerability that can be exploited remotely without authentication. However, the vulnerability only affects appliances that are configured as a gateway or AAA virtual server. Citrix has confirmed that attacks targeting unmitigated appliances have been observed.
Recently, cybersecurity firm Bishop Fox discovered a new exploit technique targeting this vulnerability. The exploit can be used against any appliance set as a gateway or AAA virtual server and which exposes a specific route enabled by default on certain installations. The vulnerability is a simple unauthenticated stack overflow, made significantly worse by the fact that exploit mitigations do not protect the vulnerable function on some versions. The vulnerable binary is compiled without PIE and with an executable stack, and on the VPX version, there is no stack canary. As a result, exploitation is trivial.
Bishop Fox’s analysis of the vulnerable appliances revealed the existence of roughly 61,000 Citrix Gateway login pages accessible from the internet. More than half of these devices, approximately 32,000, are unpatched against CVE-2023-3519. Furthermore, the company claims that roughly 21,000 appliances that are unpatched also expose the vulnerable route, making them prone to the new exploitation technique. This significant number of vulnerable systems underscores the urgency for organizations to apply the necessary patches and secure their Citrix environments.
Proof of Concept (PoC) / Sightings
Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519) (Mandiant)
Associated MITRE ATT&CK TTPs
- T1190: Exploit Public-Facing Application
- T1068: Exploitation for Privilege Escalation
- T1210: Exploitation of Remote Services
Please refer to the MITRE ATT&CK framework for more details on these TTPs.
Patch Information
Citrix has released patches for this vulnerability. The patches are included in the following versions of the software:
- NetScaler ADC and Gateway 13.1-49.13 and 13.0-91.13
- NetScaler ADC 13.1-FIPS 13.1-37.159, 12.1-FIPS 12.1-55.297
- ADC 12.1-NDcPP 12.1-55.297
The US Cybersecurity and Infrastructure Security Agency (CISA) has also issued an alert for the Citrix vulnerabilities, warning organizations about the zero-day.
Recommendations
Organisations are strongly advised to apply the patches provided by Citrix as soon as possible to mitigate the risk posed by this vulnerability. Additionally, monitoring for any unusual activity within the network can help detect potential exploitation attempts.
For further guidance on securing Citrix environments, please refer to the following resources:
- Security best practices for Citrix Virtual Apps and Desktops
- Security considerations and best practices | Citrix Virtual Apps and Desktops 7 2305
- Securing Citrix Virtual Apps and Desktops Environments