How to Respond to Citrix ADC and Citrix Gateway Vulnerabilities (CVE-2023-3519)

There are multiple vulnerabilities impacting Citrix Application Delivery Controller (ADC) and Citrix Gateway (also known as NetScaler ADC and NetScaler Gateway), including a zero-day vulnerability: CVE-2023-3519 (zero-day), CVE-2023-3466, and CVE-2023-3467. CVE-2023-3519 is a known exploited vulnerability that needs to be patched as quickly as possible in order to secure your system against threat actors.

Citrix ADC and Citrix Gateway support networking needs, such as global load balancing for client applications, secure remote access, and other application security needs. However, these three exploitable vulnerabilities enable malicious actors to achieve remote code execution (CVE-2023-319), cross-site scripting attacks (CVE-2023-3466), and privilege escalation (CVE-2023-3467) on some versions of Citrix ADC and Citrix Gateway.

This article will identify how these security vulnerabilities impact use of Citrix ADC and Citrix Gateway, as well as how to secure your system if you rely on one of the impacted versions.

What are CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467?

CVE-2023-3519 is a critical vulnerability that enables attackers to achieve unauthenticated Remote Code Execution (RCE). Unauthenticated RCE is dangerous because remote attackers can gain access to your system and take actions without confirming that they have legitimate privileges. Having an RCE vulnerability heightens your attack surface's risk factors, as it could result in further intrusions to your critical infrastructure.

When remote code execution is paired with CVE-2023-3467, attackers can escalate their privileges to gain additional access elsewhere in your system; in this case, privilege escalation to [.rt-script]root[.rt-script] administrator (known as [.rt-script]nsroot[.rt-script]). An attacker can escalate these privileges if they have authenticated access to the NetScaler appliances IP address (NSIP) or a SubNet IP (SNIP), and then gained access to the management interface. CVE-2023-3519 has a CVSS base score of 9.8, and CVE-2023-3467 has a CVSS score of 8.0. These high severity scores mean the impacted Citrix products could have a major impact on business operations if exploited.

The CVE-2023-3466 vulnerability enables a cross-site scripting attack (also known as an XSS attack). XSS attacks are a type of code injection where an attacker injects malicious code into a website in order to access information from an end user who otherwise trusts the website. Attackers use these scripts to return sensitive information, such as cookies, session tokens, and user credentials. Citrix registers CVE-2023-3466 with an 8.3 CVSS score, whereas NIST registers this CVE with a 6.1 CVSS score. If your system is impacted by these CVEs, malicious actors could gain access to your internal systems and exfiltrate sensitive information.

Citrix issued a security bulletin regarding these vulnerabilities, CISA (the Cybersecurity and Infrastructure Security Agency) issued a security advisory, and all three CVEs are documented in NIST's National Vulnerability Database (NVD) as known vulnerabilities. For additional information about these types of exploitations, you can review MITRE's Common Weakness Enumeration (CWE).

How to Detect the CVEs on Impacted Citrix Systems

If you incorporate Citrix ADC or Citrix Gateway (which may also be referred to as NetScaler), you can determine the impact on your systems by comparing your product version to the versions identified as vulnerable to these exploitations.

The following Citrix products are versions of NetScaler ADC and Gateway impacted by these three CVEs:

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC and NetScaler Gateway version 12.1, now end of life
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-55.297
  • NetScaler ADC 12.1-NDcPP before 12.1-55.297

Additionally, version 12.1 is at end-of-life (EOL) and will no longer be supported with updates from Citrix. Be sure that you update the EOL versions to supported versions. For additional guidance on Citrix security bulletins, visit support.citrix.com and continue reading for recommendations on how to mitigate potential impact resulting from these vulnerabilities.

How to Mitigate the Citrix ADC and Citrix Gateway Vulnerabilities

If your systems have been impacted by malicious actors, you should work with your security team on an immediate incident response plan that includes quarantining compromised systems and following recommended security practices. If your system uses any of the impacted versions but has not been exploited by threat actors, you should also follow the mitigation recommendations.

1. Upgrade to the latest releases for Citrix ADC and Citrix Gateway

If you are using any of the impacted versions, it's critical that you upgrade to the latest version in order to secure your system against exploitation. Follow your organizational patching policy to minimize business operation disruption during firmware upgrades.

As version 12.1 will not be supported with additional patches due to its EOL deprecation, you should plan your migration to a supported release version to ensure that your system receives necessary security updates.

2. Secure any credentials stored on the system

Ensure that any files containing credentials, such as configuration files, are secured. Restrict file and directory permissions to only the necessary users using a clear policy for role-based access control. Implementing role-based access control and the principle of least privilege will mean that there are fewer routes that an attacker could use to access your system.

3. Provision new account credentials with the updated version

As part of your access management policies, you can cycle account credentials regularly for an added layer of security. If your system was compromised or at risk of compromise, new account credentials will refresh the authentication process so that the potentially compromised credentials cannot be used to access the system.

4. Implement multi-factor authentication (MFA) for all services

With multi-factor authentication, your staff will need to provide multiple forms of authentication in order to access the system. MFA provides an additional level of account protection, as malicious attackers would need to compromise multiple credentials in order to gain access.

5. Monitor ongoing use of Citrix products for existing and future vulnerabilities

In addition to these new vulnerabilities, there are other vulnerabilities that have been targeted in the recent past and potentially unknown vulnerabilities that may occur in the future. Continuous monitoring for your use of these products ensures that you can take proactive measures against any potential known and unknown vulnerabilities.

How UpGuard Can Help

Using non-intrusive scanning techniques, UpGuard detects when Citrix products are in use among your external assets. We provide informational findings for detection of Citrix ADC and Citrix Gateway, which empowers you to assess your version update schedule, and we are constantly adding specific version detection where possible.

Screencapture for how a Citrix Gateway informational detection appears in Vendor Risk
An example of Citrix detection in UpGuard Vendor Risk

If you or a vendor are using Citrix technologies, you should determine whether it has been updated to a secure version. You can send a remediation request within UpGuard, which will enable the technology owner to assert the current version of the product.

How to Identify Systems Compromised by CVE-2023-3519

You can assess whether your use of these technologies has been compromised by performing assessment actions in your ADC shell interface through a variety of techniques identified by CISA. Each of these approaches can identify indicators of compromise that would necessitate an immediate incident response plan. Please note that UpGuard does not conduct penetration testing or invasive data collection on your internal systems, so you will need to conduct your own security research to evaluate your internal systems for exploits of CVE-2023-3519 or other evidence of malicious behavior by unknown actors.

Audit your files for anything that has been created after your most recent installation or update

New files created after your latest installation or update may indicate that an unknown attacker has gained access to your system. For process files held in [.rt-script]/var[.rt-script] and files related to your Citrix/NetScaler graphical user interface (GUI), you can run [.rt-script]find[.rt-script] commands that specify a directory, file type, and date of modification. For each command, be sure to supply your most recent installation date with the [.rt-script][YYYYMMDD][.rt-script] format for the [.rt-script]-newermt[.rt-script] parameter to ensure that the command returns only those files that have been added after your update.

[.rt-script]find /netscaler/ns_gui/ -type f -name *.php -newermt [YYYYMMDD] -exec ls -l {} \;[.rt-script]

This command searches the [.rt-script]/netscaler/ns_gui/[.rt-script] directory for any PHP files that have been added since your last installation. You set the [.rt-script]-exec[.rt-script] option to list the directory contents in the long format with additional details.

[.rt-script]find /var/vpn/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;[.rt-script]

This command searches the [.rt-script]/var/vpn/[.rt-script] directory for any files newer than the date you supply with the [.rt-script]-newermt[.rt-script] option.

[.rt-script]find /var/netscaler/logon/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;[.rt-script]

This command searches the [.rt-script]/var/netscaler/logon/[.rt-script] directory for any files newer than the date you supply and returns a list with additional details.

[.rt-script]find /var/python/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;[.rt-script]

This command searches the [.rt-script]/var/python/[.rt-script] directory for any files newer than the date you supply and returns a list with additional details.

Files that have been added after your most recent installation may suggest that a malicious actor has gained access to your system and has added new files that enable them to take additional actions.

Review error logs for any abnormalities

You can run [.rt-script]zgrep[.rt-script] commands to check your compressed HTTP error logs for a specific expression without uncompressing the file.

[.rt-script]zgrep '\.sh' /var/log/httperror.log*[.rt-script]

This command will assess the HTTP error logs for any lines containing [.rt-script]\.sh[.rt-script], which would suggest new shell scripts.

[.rt-script]zgrep '\.php' /var/log/httperror.log*[.rt-script]

This command will assess the HTTP error logs for any lines containing [.rt-script]\.php[.rt-script], which would suggest new PHP files that could exploit public-facing applications.

You can also evaluate your internal access logs [.rt-script]httpaccess-vpn.log*[.rt-script] for any successful access of unknown resources, which might indicate an attacker has found sensitive information.

Review shell logs for any unexpected edits

Use [.rt-script]grep[.rt-script] to search your system for any editing performed by someone other than your legitimate team.

[.rt-script]grep '/flash/nsconfig/keys' /var/log/sh.log*[.rt-script]

This command looks for any occurrences of the string [.rt-script]/flash/nsconfig/keys[.rt-script] in your log files. Because configuration files often hold credential information, it's important that you can identify whether an unexpected actor has viewed or modified sensitive information.

Ensure user permissions are secured for any executable files

The [.rt-script]setuid[.rt-script] flag, which stands for "set user identity" and provides privileged access rights, enables users to run programs with elevated privileges. You can assess whether any files use this privilege escalation by searching for [.rt-script]setuid[.rt-script] binaries that are newer than your most recent installation or update.

[.rt-script]find /var -perm -4000 -user root -not -path "/var/nslog/*" -newermt [YYYYMMDD] -exec ls -l {} \;[.rt-script]

This command will search the [.rt-script]/var[.rt-script] directory for files with the [.rt-script]setuid[.rt-script] bit (identified by the [.rt-script]4000[.rt-script] octal notation) that are owned by the root user and that are not held in the [.rt-script]/var/nslog/*[.rt-script] directory, and then return the responses in a list format that includes additional details. You can then evaluate if the files returned need to have this escalation privilege or if there are new files with these permissions that you have not implemented.

Review your logs for any unexpected traffic spikes or excessive connection attempts

If you are concerned about system compromise, you can review your internal traffic for specific threat behaviors:

  • Subnet scanning on ports 80, 443, and 445 that originate from your ADC environment
  • Unexpected directory access traffic using AD/LDAP/LDAPS that originates from your ADC environment
  • Excessive sessions in your ADC environment or connection attempts from a single IP address
  • Outbound data transfers from your ADC environment
  • Unexpected login access for your ActiveDirectory connections
  • System searches for ActiveDirectory, LDAP, OpenSSL, Salt, keys, and other sensitive information
  • Unexpected changes to your firewall

While these behaviors are not always indicative of malfeasance, examining them will ensure that you remain vigilant about potential intrusion through a vulnerability in your attack surface. Patching any security updates will help you prevent a data breach.

Ready to see
UpGuard in action?