A remote code execution vulnerability has been identified in the Citrix Application Delivery Controller (ADC) and Gateway appliances, which allows attackers to execute arbitrary code with elevated privileges. The vulnerability, known as CVE-2023-3519, has been found to be a zero-day flaw, meaning that it was publicly known and unpatched for a significant amount of time.

Researchers from Bishop Fox and Assetnote initially discovered the vulnerability and its exploitation. They found that the vulnerability only requires the device to be configured as a gateway or AAA virtual server and to expose a specific vulnerable route. Interestingly, this route appears to be enabled by default on some installations but not on others, and the cause of this variance is yet to be determined.

Further investigation by the researchers confirmed that there are indeed two separate remote code execution flaws. One of them does not require Security Assertion Markup Language (SAML), while the other depends on it. The vulnerability that does not require SAML is likely to be CVE-2023-3519. The researchers speculate that the SAML parser bug is a separate vulnerability that was silently patched without an associated advisory.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an advisory, stating that attackers have been exploiting the CVE-2023-3519 flaw since June to deploy webshells on appliances. This effectively allows the attackers to gain unauthorized access and control over the affected devices. It is important to note that the attackers were able to exploit the vulnerability because it had zero-day status, meaning it was publicly known but still unpatched.

In one attack incident, the attackers targeted a NetScaler appliance belonging to a critical infrastructure organization. They were able to deploy a webshell, which is a web-based backdoor script, on the appliance. With the webshell in place, the attackers proceeded to scan the victim’s Active Directory (AD) environment and exfiltrate data from it.

Furthermore, the attackers attempted to move laterally within the network by targeting a domain controller. However, their efforts were thwarted by network segmentation policies that prevented unauthorized access. In an attempt to maintain control, the attackers also deployed a second webshell with proxying capabilities to proxy Server Message Block (SMB) traffic to the targeted domain controller.

To hinder the victim’s ability to regain access to the ADC appliance, the attackers deleted the authorization configuration file. This was likely done to prevent configured users, such as admin, from remotely logging in. Although the victim would normally reboot the appliance into single-use mode to regain access, they were able to bypass this step due to the availability of an SSH key.

Bishop Fox collaborated with the GreyNoise intelligence service, which monitors and tracks automated exploitation attempts. Since the addition of detection on July 21, no exploitation attempts of the Citrix ADC vulnerability have been observed by GreyNoise. However, this does not mean that targeted attacks similar to the one in June are no longer occurring.

As more details about the vulnerability become available, it is possible that other attackers will develop their own exploits. This could lead to an increase in the number of attacks targeting the vulnerability. It is concerning to note that 53% of publicly exposed NetScaler ADC appliances have yet to deploy the necessary patches to address the vulnerability.

In conclusion, the remote code execution vulnerability in Citrix ADC and Gateway appliances poses a significant risk to organizations. The exploitation of this vulnerability has already been observed, and it is crucial for affected organizations to promptly apply the necessary patches to mitigate the risk of attacks. Failure to do so could result in unauthorized access and control over these devices, potentially leading to data breaches and other malicious activities.

Source link