Citrix ADC and Gateway Vulnerability Exploited by Zero-Day Attacks

Citrix has issued an urgent warning to users regarding a critical security vulnerability in NetScaler Application Delivery Controller (ADC) and Gateway. This flaw, identified as CVE-2023-3519 with a CVSS score of 9.8, is actively being exploited in the wild. The vulnerability involves code injection, potentially leading to unauthenticated remote code execution. The affected versions include:

• NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 prior to 13.0-91.13
• NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
• NetScaler ADC 13.1-FIPS prior to 13.1-37.159
• NetScaler ADC 12.1-FIPS prior to 12.1-55.297
• NetScaler ADC 12.1-NDcPP prior to 12.1-55.297

Citrix has not provided extensive details about the vulnerability tied to CVE-2023-3519, except that exploits have been observed on “unmitigated appliances.” Successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server.

Additionally, two other vulnerabilities have been addressed alongside CVE-2023-3519:

• CVE-2023-3466 (CVSS score: 8.3): An improper input validation vulnerability leading to a reflected cross-site scripting (XSS) attack.
• CVE-2023-3467 (CVSS score: 8.0): An improper privilege management vulnerability resulting in privilege escalation to the root administrator (nsroot).

Wouter Rijkbost and Jorren Geurts of Resillion were credited with reporting these bugs. Patches have been released to address all three vulnerabilities in the following versions:

• NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
• NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
• NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
• NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
• NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Users of NetScaler ADC and NetScaler Gateway version 12.1 are advised to upgrade their appliances to a supported version in order to mitigate potential threats.

This security issue emerges alongside active exploitation of vulnerabilities found in Adobe ColdFusion (CVE-2023-29298 and CVE-2023-38203) and the WooCommerce Payments WordPress plugin (CVE-2023-28121). Neglecting security flaws in WordPress plugins can lead to complete compromise, allowing threat actors to repurpose compromised WordPress sites for further malicious activities. Recently, an attack campaign known as Nitrogen targeted infected WordPress sites to host malicious ISO image files, triggering the deployment of rogue DLL files capable of connecting to remote servers for additional payloads, including Python scripts and Cobalt Strike.