Written by Eric Dodge and Harish Segar of the Kudelski Security Threat Detection & Research Team
Summary
Citrix recently released a handful of vulnerabilities, for cross-site scripting, privilege escalation, and unauthenticated remote code execution. These target Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway). All three have existing prerequisites for proper execution, with the most concerning being the remote code execution. Due to its more trivial requirements for execution, and not requiring authenticated access or user interaction. The vulnerabilities are scored as follows: XSS 8.3, Privilege Escalation 8, Unauthenticated RCE 9.8.
Currently, there is no proposed workaround, but it is advised to patch any impacted systems as CVE 2023-3519 exploitation has already been observed.
Affected Applications
| Product | Affected Versions | Fixed versions |
|---|---|---|
| NetScaler ADC and NetScaler Gateway | 13.1 before 13.1-49.13 | 13.1-49.13 and later releases |
| NetScaler ADC and NetScaler Gateway | 13.0 before 13.0-91.13 | 13.0-91.13 and later releases of 13.0 |
| NetScaler ADC | 13.1-FIPS before 13.1-37.159 | 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS |
| NetScaler ADC | 12.1-FIPS before 12.1-65.36 | 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS |
| NetScaler ADC | 12.1-NDcPP before 12.65.36 | 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP |
Additionally, this only applies to impacted systems managed by customers, it does not impact Citrix managed cloud services or adaptive authentication.
Technical Details
CVE-2023-3519 – Unauthenticated remote code execution
The RCE vulnerability, when executed properly, allows for potential execution of remote code while unauthenticated. The only requirements are that the impacted appliance must be configured as either a gateway or an AAA virtual server. In terms of the gateway, possible configurations include VPN virtual servers, ICA proxies, CVPN’s, and RDP proxies. The vulnerability targets a failure to control generation of code, IE code injection. This is typically possible when the product insufficiently filters the control-plane code from the user-controlled input, or the data plane, resulting in an attacker being able to craft specific code that alters the control flow. That in turn leads to the potential for arbitrary code execution.
CVE-2023-3466 – Reflected cross-site scripting
The XSS vulnerability released has more stringent requirements in order to be effective. It hinges on a user navigating to a browser link that is in the control of the attackers. Additionally, this requires the victim to have connectivity to the NSIP. This vulnerability is based on improper input validation. Leading to potential malicious inputs to be utilized in order to alter control flow, arbitrary control or a resource, or arbitrary code execution.
CVE-2023-3467 – Privilege escalation to root administrator (nsroot)
The privilege escalation vulnerability requires authenticated access to either the NSIP or SNIP, to include access to the management interface. This means it requires an additional vector for initial access in order to be successful. Proper privilege management and monitoring can assist in detecting and preventing this from occurring.
Solution
Kudelski Security recommends identifying, validating, and implementing a security update for any affected systems as soon as possible. Administrators should move fast and implement the patch as soon as possible.
What the Cyber Fusion Center (CFC) is doing
The CFC will continue to keep up to date with this vulnerability to provide further updates as they become available.
Kudelski Security Research 