CVE-2023-3519 - NetScaler ADC & Gateway

Note: CVE-2023-3519 - NetScaler Application Delivery Controller (ADC) (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway)

Description

NetScaler Inc., was founded in 1997, in San Jose, California by Entrepreneur Mr. Michel K. Susai who had previously worked at the Unisys Corporation and subsequently at Sun Microsystems. It produced application appliances to handle tasks like load balancing, content caching and remote access functionality, along with optimizing delivery of custom web applications. NetScaler was acquired by Citrix Systems, Inc., in 2005.

Citrix Systems, Inc., was founded in 1989, in Richardson, Texas, by Mr. Edward E. Iacobucciby, a former IBM software developer who held architecture and design leadership responsibilities for IBM DOS and OS/2 Systems and had led the joint IBM-Microsoft design for multi-tasking personal computer operating systems. Citrix Systems, Inc., became an industry leader in thin client technology, enabling purpose-built devices to access remote servers and resources. Between 2005 and 2012, Citrix Systems, Inc., acquired a number of companies that specialised in Information technology which allowed it to expand into server and desktop virtualization, cloud computing, infrastructure as a service, and software as a service (SaaS) offerings.

In 2016, Citrix Systems, Inc., consolidated all of its networking products under the NetScaler brand. On the 30th September 2022, Citrix Systems, Inc., was acquired by the private equity firms, Vista Equity Partners and Elliott Investment Management, which took the company private and merged it with TIBCO (The Information Bus Company) Software Inc., which Vista Equity Partners had acquired on the 5th December 2014. The two private equity firms launched the Cloud Software Group to oversee the merger of Citrix and TIBCO.

Today, NetScaler is a line of networking products owned by the Cloud Software Group which consist of NetScaler Application Delivery Controller (ADC), NetScaler AppFirewall, an application firewall, NetScaler Unified Gateway, NetScaler Application Delivery Management (ADM), and NetScaler SD-WAN, which provides software-defined wide-area networking management.

NetScaler ADC are used to monitor server health, allocate network and application traffic to additional servers for efficient use of resources. It also performs several kinds of caching and compression. It can be made a server proxy, process SSL requests, and offers VPN and micro-app VPN operations. It also includes NetScaler application firewall and SSL encryption capabilities. NetScaler ADC can manage traffic during DDoS attacks, making sure traffic gets to critical applications. Additionally, NetScaler's logs of network activity feed into Citrix's cloud-based analytics service and are used to analyse and identify security risks.

Problem

In March 2023, two (2) ethical hackers (Jorren Geurts & Wouter Rijkbost) from the Belgium Cyber Security Company, Resillion, (formerly Eurofins Digital Testing) which provides managed testing services, quality assurance and technical analysis of digital systems, devices, content and cyber security, identified a zero-day vulnerability within the NetScaler Application Delivery Controller (ADC) that allowed anyone with access to the management interface to escalate their privileges up to root, essentially giving them full control over the system, which could be used to gain access to sensitive data, disrupt business processes, run malicious commands, install malware, and gain further access into the network. The vulnerability was disclosed to the Cloud Software Group on the 15th March 2023 under their Responsible Disclosure program.

On the 18th July 2023, Citrix Systems, Inc., publicly disclosed Common Vulnerability and Exposure (CVE) Report CVE-2023-3519 and released a software patch for the security vulnerability. A subsequent security bulletin, revealed two (2) new additional security vulnerabilities affecting the NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. Software patches and updates for both of the security vulnerabilities reported, were also released.

Common Vulnerabilities & Exposures (CVEs)

Systems used for reporting and assessing the severity of security vulnerabilities.

No.	System	Description
1.	Common Vulnerabilities and Exposures (CVE).	The CVE system is used to identify, define, catalogue and publicly disclosed known information-security vulnerabilities and exposures.
2.	The Common Vulnerability Scoring System (CVSS).	CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It provides a numerical (0-10) representation of the severity of an information security vulnerability.

CVSSv3.0 Metrics.

No.	Base Score Range	Severity
1.	0.0	None
2.	0.1 - 3.9	Low
3.	4.0 - 6.9	Medium
4.	7.0 - 8.9	High
5.	9.0 - 10.0	Critical

List of CVEs & Citrix Security Bulletin - NetScaler ADC & NetScaler Gateway.

No.	CVE Report	Description	CVSSv3	Disclosed	Advisory
1.	CVE-2023-3519	Unauthenticated Remote Code Execution Vulnerability.	9.8	29-09-2023	Citrix Security Bulletin
2.	CVE-2023-3466	Reflected Cross-Site Scripting (XSS) Vulnerability.	8.3	29-09-2023	Citrix Security Bulletin
3.	CVE-2023-3467	Privilege Escalation to Root Administration (nsroot).	8.0	29-09-2023	Citrix Security Bulletin

Note: Constituents, on clicking the CVE link in the table above, will be directed to the www.mitre.org webpage, which contain relevant information on the particular CVE No. Constituents, then have the option to click on the www.cve.org link, which will direct them to the www.cve.org webpage, where additional information on the CVE in question, can be accessed, on inserting the CVE No. in the Find field.

CVE-2023-3519: is a unauthenticated remote code execution (RCE) vulnerability. The vulnerability affects older installations of NetScaler Application Delivery Controller (ADC) firmware for securing network traffic as well as NetScaler Gateway, which is an access gateway that provides a virtual private network (VPN) and Single Sign-On (SSO) capabilities for remote end users or network resources.

CVE-2023-3466: is a reflected Cross-Site Scripting (XSS) vulnerability that requires a victim to access an attacker-controlled link in the web browser while being on a network with connectivity to the NetScaler IP (NSIP). The NetScaler IP (NSIP) address is the IP address where you access the NetScaler for management purposes.

CVE-2023-3467: is a privilege escalation vulnerability that requires attackers to have an unauthenticated access to NetScaler IP (NSIP) address or Subnet IP (SNIP) address with management interface access, and allows for potential privilege elevation to root administrator access.

Report of Exploitation of CVE-2023-3519 Security Vulnerability.

On the 20 July 2023, the United States of America Cybersecurity & Infrastructure Security Agency (CISA) reported that in June 2023, threat actors had exploited the CVE-2023-3519 security vulnerability in a zero-day attack by dropping a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the threat actors to perform discovery on the victim’s Active Directory (AD) and collect and exfiltrate the AD data. The threat actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.

CSIRT-IE Recommendations.

CVE-2023-3519 is regarded as a high risk security vulnerability, because it allows for remote code execution without any known offsets together with CVE-2023-3466 and CVE-2023-3467. CSIRT-IE recommends that all constituents and Customers of NetScaler Application Delivery Controller (ADC) and NetScaler Gateway, within the jurisdiction, to ensure that the latest software patches and updates, released by Citrix Systems, Inc., in relation to the reported security vulnerabilities, be applied, as soon as possible.

Solution

On the 18th July 2023, Citrix Systems, Inc, reported the under mentioned versions of NetScaler Application Delivery Controller (ADC) and NetScaler Gateway to be affected by the reported security vulnerabilities.

No.	Versions of NetScaler ADC & Gateway Affected by Security Vulnerabilities
1.	NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13.
2.	NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13.
3.	NetScaler ADC 13.1-FIPS before 13.1-37.159.
4.	NetScaler ADC 12.1-FIPS before 12.1-55.297.
5.	NetScaler ADC 12.1-NDcPP before 12.1-55.297.

Note: NetScaler Application Delivery Controller (ADC) and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

Citrix Systems, Inc., recommended that affected customers of NetScaler Application Delivery Controller (ADC) and NetScaler Gateway to install the relevant updated versions as soon as possible.

No.	Versions of NetScaler ADC & Gateway to be Installed.
1.	NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases.
2.	NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0.
3.	NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS.
4.	NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS.
5.	NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP.

Note: The Cloud Software Group also recommend to their Customers to upgrade their appliances to one of the supported versions that address the security vulnerabilities.

General Information - Application Delivery Controller (ADC)

An application delivery controller (ADC) is a network appliance that can optimize and make applications for web browsing and businesses quicker and more efficient. This is completed by securing and strengthening the connection between the client’s network and the application servers.

An Application Delivery Controller (ADC) is vital in any network that want continuous service and an efficient e-commerce business. Along with distributing the software load, an ADC can increase application speed, store and compress data, shape traffic, and provide protection.

The Application Delivery Controller (ADC) is the first line of defence for web application servers and can provide several defence functions such as protecting DNS application firewall, web application firewall, and DDoS attacks. The ADC acts as a verification or auditing system for application servers behind cybersecurity protection. The most typical deployment configuration is to locate the ADC in the demilitarized zone (DMZ) area, between the firewall, used for network security, and an application server.

The ADC optimizes traffic and organizes new and old traffic based on testing targets and SSL offloading to accelerate performance. Overall, it is implemented to optimize application delivery, ensuring that web-based businesses are always available, efficient, and secure.

The NetScaler ADC improves performance by using HTTP compression and data caching. The workload is shared over multiple servers and networks to ensure that there is not one point of failure or that one server is not overloaded, causing a slow or inefficient performance.

General Information - Gateway

A Gateway is a network node that connects different networks with different transmission protocols and regulates the traffic between them. A gateway is an entry and exit point for a network as all data passes through it before being routed.

Networks have a boundary that prevents direct communication to other devices, nodes, or networks connected to them. If a network require communication with other nodes, devices, or networks outside of the boundary, then the network requires a gateway to do so. A router can be a network gateway. So can a modem. If a device connects to the internet and translates information between two or more networks, then it’s a gateway.

The NetScaler Gateway which is configured with the default IP address of 192[.]168[.]100[.]1 and subnet mask of 255[.]255 can be used as a complete SSL VPN solution that enables users to access network resources. It also serves as a single sign-on access point to all web, cloud, mobile, and other applications that users require. The typical deployment configuration for a NetScaler Gateway appliance is in the demilitarized zone (DMZ).

Features of a Gateway

Distinct Features and Capabilities of Gateways.

No.	Feature.	Capabilities.
1.	Security	Gateways are one part of a comprehensive data security plan. When a gateway is used as a firewall or security tool, it can protect data that is passed between networks or has migrated to the cloud. Secure Internet Gateways (SIGs) exist to provide as much protection as possible against internet attacks and vulnerabilities.
2.	Visibility	Gateways are often used for monitoring network activity. It is recommended that Gateways should always be visible and ready to be updated with new instructions.
3.	Multi-Protocol	Because gateways are programmable, they can be customized to work with a number of network protocols. That means you have more flexibility, better security, and a higher level of network resilience.
4.	Analytics	As a visible, programmable, multi-protocol kind of software, gateways often play a key role in collecting network information from a variety of locations. It can also be used as an important diagnostic and troubleshooting tool.

Additional Information

Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467
CISA - Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
Mandiant - Exploitation of Citrix Zero Day by Possible Expionage Actors (CVE-2023-3519)
Shadowserver Technical Summary of Observed Citrix CVE-2023-3519 Incidents
Unit42 Threat Brief: RCE Vulnerability CVE-2023-3519
IAleksa Sarai - Openwall - CVE-2019-5736: runc container breakout exploit code
Resillion - Escalating privileges in Citrix ADC
Critical Zero-Day Vulnerability in Citrix NetScaler ADC and NetScaler Gateway
Zscaler - Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
LogicMonitor - What is Citrix NetScaler, and how does it work?
Citrix Gateway: What is it and Why Use It? | Parallels
Whatis MyIPAddress - What is a Gateway and What Does it Do?