A critical remote code execution vulnerability has been discovered in Citrix’s NetScaler ADC and NetScaler Gateway, and it has already been exploited in the wild. It is advised that customers patch their systems immediately to prevent any potential attacks.
The vulnerability, known as CVE-2023-3519, is an unauthenticated remote code execution bug. Citrix released a security bulletin on Tuesday, disclosing three vulnerabilities, including this critical one. The severity of the CVE-2023-3519 vulnerability is rated as “critical” with a CVSS score of 9.8. The other two vulnerabilities mentioned in the bulletin are a reflected cross-site scripting bug (CVE-2023-3466) with a CVSS score of 8.3 and a privilege escalation flaw (CVE-2023-3467) to root administrator with a CVSS score of 8.
According to Citrix’s bulletin, exploits of the CVE-2023-3519 vulnerability have already been observed on unmitigated appliances. However, no further technical details about the flaw were provided, except that the affected appliance must be configured as a gateway or a AAA virtual server.
TechTarget Editorial reached out to Citrix for comment but has not received a response as of press time.
The following versions of NetScaler ADC and Gateway are affected by these vulnerabilities:
– NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
– NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
– NetScaler ADC 13.1-FIPS before 13.1-37.159
– NetScaler ADC 12.1-FIPS before 12.1-55.297
– NetScaler ADC 12.1-NDcPP before 12.1-55.297
Citrix advises its customers to update their systems to the following versions:
– NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
– NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
– NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
– NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
– NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
It is important to note that Citrix considers NetScaler ADC and NetScaler Gateway version 12.1 as end-of-life, making them vulnerable to these exploits.
Rapid7, an information security company, also commented on these vulnerabilities in a blog post. Caitlin Condon, the head of vulnerability research at Rapid7, stated that the NetScaler ADC/Gateway product line is a popular target for attackers of all skill levels, and the number of exploitation attempts is expected to increase quickly. Rapid7 strongly recommends that users update to a fixed version without waiting for the usual patch cycle.
In conclusion, a critical remote code execution flaw has been detected in Citrix’s NetScaler ADC and NetScaler Gateway products, and it has already been exploited. Customers are urged to patch their systems immediately to prevent any potential attacks. It is advisable to update to the relevant versions recommended by Citrix, as older versions are considered vulnerable. The severity of the vulnerability and the popularity of the affected products make this a highly critical issue, and immediate action is recommended to mitigate any potential risks.