Pierluigi Paganini July 23, 2023

Researchers reported that more than 15000 Citrix servers exposed online are likely vulnerable to attacks exploiting the vulnerability CVE-2023-3519.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week warned of cyber attacks against Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices exploiting recently discovered zero-day CVE-2023-3519. The Agency states that threat actors targeted a NetScaler ADC appliance deployed in the network of a critical infrastructure organization.

Citrix this week warned customers of a critical vulnerability, tracked as CVE-2023-3519 (CVSS score: 9.8), in NetScaler Application Delivery Controller (ADC) and Gateway that is being actively exploited in the wild

The vulnerability, tracked as CVE-2023-3519 (CVSS score: 9.8), is a code injection that could result in unauthenticated remote code execution. The IT giant warns of the availability of exploits for this vulnerability that have been observed in attacks against unmitigated appliances. The company added that successful exploitation requires that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

“Exploits of CVE-2023-3519 on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.” reads the report published by Citrix.

The Citrix Cloud Software Group is strongly urging affected customers to install the relevant updated versions as soon as possible. 

The U.S. CISA revealed that threat actors are exploiting the vulnerability to drop web shells on vulnerable systems.

“The Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA), Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells, to warn organizations about threat actors exploiting CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway.” reads the advisory published by CISA. “In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.”

CISA did not attribute the attack to a specific threat actor. The attackers exploited the flaw to deploy the the webshell that was used to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The threat actors attempted to move laterally to a domain controller, but CISA pointed out that network-segmentation controls for the appliance blocked movement.

The attackers obtained encrypted passwords from NetScaler ADC configuration files, and the decryption key was stored on the ADC appliance.

Researchers from the non-profit organization Shadowserver Foundation this week reported that at least 15,000 Citrix servers were exposed to CVE-2023-3519 attacks based on their version information. Most of the servers are located in the United States and Germany.

Update on CVE-2023-3519 vulnerable IPs: we now tag 15K Citrix IPs as vulnerable to CVE-2023-3519. We extended the tagging logic to tag as vulnerable all that return Last Modified headers with a date before July 1, 2023 00:00:00Z. We also improved NetScaler AAA detection coverage. https://t.co/xvHv4r5e8g pic.twitter.com/jd1shpdXjF

— Shadowserver (@Shadowserver) July 21, 2023

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Citrix)