Over 15000+ Citrix Servers Vulnerable to Code Injection Attacks
Resulting from an unauthenticated critical RCE bug, formerly exploited as a 0-day in the wild by the possibility actors, hundreds of Citrix Netscaler ADC and Gateway servers were exposed.
Risk actors exploited this zero-day vulnerability in June 2023 to tumble a web shell on a critical infrastructure organization’s NetScaler ADC, leading to AD data exfiltration.
On the different hand, at this point, the lateral motion of the possibility actors to the arena controller change into prevented by the efficient network segmentation controls on the application.
Cyber security researchers at Shadowserver Foundation currently printed that over 15000 Critix servers are inclined to this critical code injection attack which is tracked as CVE-2023-3519, and no longer finest that, even the Cybersecurity and Infrastructure Security Agency (CISA) additionally released a Cybersecurity Advisory (CSA).
Flaw Profile
- CVE ID: CVE-2023-3519
- Description: Unauthenticated a long way-off code execution
- CWE: CWE-94
- CVSS Ranking: 9.8
- Pre-requisite: Equipment needs to be configured as a Gateway (VPN digital server, ICA Proxy, CVPN, RDP Proxy) or AAA digital server
Affected Variations of NetScaler ADC & NetScaler Gateway
Here below, now we delight in mentioned all the affected versions of the NetScaler ADC and NetScaler Gateway:-
- NetScaler ADC and NetScaler Gateway 13.1 sooner than 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 sooner than 13.0-91.13
- NetScaler ADC and NetScaler Gateway version 12.1, now discontinuance of lifestyles
- NetScaler ADC 13.1-FIPS sooner than 13.1-37.159
- NetScaler ADC 12.1-FIPS sooner than 12.1-65.36
- NetScaler ADC 12.1-NDcPP sooner than 12.65.36
Exploitation and Patch
On July 18th, Citrix urgently released security updates for the RCE vulnerability (CVE-2023-3519) after staring at exploits on unmitigated appliances, urging rapid patch installation.
The zero-day RCE (CVE-2023-3519) for Citrix ADC change into likely circulating online from early July when a possibility actor advertised it on a hacker or darkish web discussion board.
Besides this, Citrix additionally addressed two a form of excessive-severity flaws tracked as CVE-2023-3466 and CVE-2023-3467 on the same day – one enabling XSS assaults and the a form of granting root permissions.
The 2d flaw, with higher influence, requires authenticated access by IP (NSIP) or SubNet IP (SNIP) to the inclined appliances’ management interface.
Whereas the original explain from the CISA mandates the U.S. federal agencies to straight obtain Citrix servers towards ongoing assaults by the 9th of August after the bug change into exploited to breach a critical infrastructure organization’s methods.
Source credit : cybersecuritynews.com