Alert essentials:
On July 18, 2023, Citrix published a security bulletin announcing fixes for three new vulnerabilities: CVE- 2023-3519, CVE-2023-3467, and CVE-2023-3466. These CVEs allow for remote code execution, privilege escalation to root administrator, and cross site scripting. Organizations should review all Citrix ADC and Gateways to ensure they are running the latest firmware versions. These are new vulnerabilities detected and should not be confused with vulnerabilities reported with the same Citrix systems by Fortified in May 2023.
CVE-2023-3519 is known to be actively exploited by threat actors. Cloud Software Group is urging customers to upgrade affected systems as soon as possible.
Detailed threat description:
Fortified Health Security VTM clients can search for these vulnerabilities using Nessus Professional Plugin ID “178442” in the dashboard. Please note that this plugin requires the VTM scanner to have credentials to Citrix appliances to adequately detect the vulnerability. Additionally, if your most recent scan was conducted prior to July 18, this plugin was not available at the time of the scan. Reach out to your VTM Analyst to perform a plugin update and rescan.
- CVE-2023-3519: Unauthenticated remote code execution — NOTE virtual server
- CVE-2023-3467: Allows for privilege escalation to root administrator (nsroot)
- CVE-2023-3466: Reflected XSS vulnerability — successful exploitation requires the victim to access an attacker-controlled link in the browser while on a network with connectivity to the NetScaler IP (NSIP)
CVE-2023-3519 is known to be actively exploited by threat actors. Cloud Software Group is urging customers to upgrade affected systems as soon as possible.
Impacts on healthcare organizations
These vulnerabilities allow threat actors to compromise and take full control of Citrix appliances through remote code execution, cross site scripting, and privilege escalation. Successful attacks could allow for data exfiltration, ransomware deployment, etc., compromising PHI, patient care, and potentially leading to extended downtime of IT systems.
Affected products / versions
- NetScaler ADC and NetScaler Gateway 1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End of Life (EoL) and is vulnerable.
Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action, though confirmation with vendor is recommended.
CVE
- CVE-2023-3519
- CVE-2023-3467
- CVE-2023-3466
Recommendations
Engineering recommendations:
- Locate all Citrix ADC/Gateway appliances and ensure they are upgraded to the latest versions
- Consider including Citrix appliances in routine VTM scanning efforts with appropriate credentials applied
- Consider reviewing all accounts with access to Citrix resources and disabling those accounts where access is not necessary
Leadership / program recommendations:
- Review your organization’s patch management procedures to ensure Citrix and other vendor appliances are receiving regular updates
- Consider a reinforcing policy that permits disabling and restriction of user accounts not actively using these resources for a period of time (30-90 days is common)
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519- cve20233466-cve20233467
- https://www.rapid7.com/blog/post/2023/07/18/etr-critical-zero-day-vulnerability-in-citrix-netscaler-adc-and-netscaler- gateway/
- https://www.tenable.com/plugins/nessus/178442
