Attackers Exploit Citrix Zero-Day Bug to Pwn NetScaler ADC, Gateway

Cyberattackers are actively exploiting a critical remote code execution (RCE) bug in several versions of Citrix's NetScaler ADC and NetScaler Gateway application delivery and remote access technologies.

The flaw does not require authentication to exploit.

Citrix issued a patch for the zero-day vulnerability, tracked as CVE-2023-3519, on July 18 along with a recommendation for organizations using the affected products to apply it immediately.

Added to CISA's Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) lent urgency to that recommendation by promptly adding the code-injection vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and giving all federal civilian executive branch agencies until August 9 to apply the patch. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said in its decision to include CVE-2023-3519 to its catalog.

Citrix credited two researchers at Resillion for discovering and reporting the bug. The company described the vulnerability as allowing an unauthenticated attacker to run arbitrary code on an affected server and gave the bug a severity rating of 9.8 out a maximum possible 10. For an exploit to work, the vulnerable appliance would need to be configured as a gateway device such as a VPN virtual server, an ICA Proxy, Citrix Virtual Private Network (CVPN), RDP proxy, or an AAA virtual server, Citrix said.

Vulnerabilities in gateway products such as NetScaler ADC and NetScaler Gateway have become popular targets for attackers in recent years because of how widely organizations are using them to secure remote workforce access to enterprise applications and data. A successful exploit can give a threat actor an initial and often highly privileged access on a target network.

Popular Target

CISA's KEV catalog contains 12 entries for widely exploited vulnerabilities in Citrix products alone since November 2021. The more recent ones among them include CVE-2022-27518, an authentication bypass vulnerability in Citrix ADC and Gateway; CVE-2021-22941, an improper access control flaw in Citrix ShareFile storage zones controller; and CVE-2019-12991, a command injection vulnerability in Citrix SD-WAN and NetScaler. Some Citrix flaws such as CVE-2019-19781 from 2019 rank among the most heavily targeted by threat actors from China, Iran, and Russia.

Citrix is by far not the only target. CISA and the National Security Agency (NSA) have warned of threat actors — including nation-state backed groups — actively seeking and exploiting vulnerabilities in gateway devices from other vendors including Fortinet, Pulse, Cisco, Netgear and QNAP. In a joint advisory from June 2022, the two federal agencies warned of Chinese threat actors in particular targeting flaws in these products to "establish a broad network of compromised infrastructure" worldwide. In some instances, like one involving a Fortinet flaw in October 2022 (CVE-2022-40684), threat actors have compromised networks by exploiting a vulnerability in a gateway device and then sold access to the compromised network to other cybercriminals.

CVE-2023-3519 is one of three bugs that Citrix disclosed this week. The other two affect NetScaler ADC and NetScaler Gateway, which Citrix has renamed as Citrix ADC and Citrix Gateway. One of them is a reflected cross-site scripting flaw (CVE-2023-3466) that the company described as requiring the "victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NSIP." Citrix assessed the vulnerability with a severity score of 8. The other flaw, tracked as CVE-2023-3467, also scores an 8 in severity and allows an attacker to escalate privileges to that of an administrator. An attacker would need authenticated access to NetScaler IP address (NSIP) or Subnet IP address (SNIP) to be able to exploit the vulnerability, Citrix said.