CERT-In has joined the global cybersecurity advisories to issue alerts on a Citrix Netscaler Server Vulnerability, found to be exploited in the wild.

Thousands of Citrix Netscaler Application Delivery Controller (ADC) and Gateway servers are currently exposed online and vulnerable to critical remote code execution (RCE) attacks, the alert said.

The Citrix Netscaler Server vulnerability, identified as CVE-2023-3519, popped up in the cybersecurity news after it was found being exploited as a zero-day by threat actors in the wild.

ADCs, which are predominantly utilized in the information technology industry, play a crucial role in enterprise and cloud data centers.

Their primary objective is to ensure the seamless enhancement and availability, security, and performance of applications.

By offering various functions, ADCs optimize the delivery of enterprise applications across the network, thereby contributing to overall efficiency and reliability.

Citrix Netscaler server vulnerability: The details

Various estimates indicate that at least 15,000 appliances have been identified as susceptible to attacks leveraging the Citrix Netscaler server vulnerability, coded CVE-2023-3519, based on their version information.

By analyzing version hashes, the organization can identify unpatched instances, as Citrix recently removed version hash information in their latest revisions.

This implies that instances still providing version hashes have not been updated and may be vulnerable to exploitation.

However, the total number of exposed Citrix servers may be higher than reported.

Certain vulnerable revisions known to be exploitable lack version hashes. As a result, these instances have not been tagged and added to the count of exposed Citrix servers, leading to potential undercounting.

“In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance,” said a CISA alert.

“The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.”

Citrix vulnerability patching, and more

Citrix has acknowledged the severity of the situation and has released security updates on July 18 to address the RCE vulnerability.

The company urgently advised customers to install the patches immediately to safeguard their systems from potential attacks.

Citrix specifically highlighted that unpatched Netscaler appliances configured as gateways (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication virtual servers (AAA server) are at higher risk of exploitation.

The zero-day RCE vulnerability (CVE-2023-3519) was discovered to have been available online since the first week of July when a threat actor publicly advertised it on a hacker forum.

This public disclosure increased the potential for widespread exploitation by malicious actors, underscoring the urgency of patching vulnerable systems.

In addition to the RCE vulnerability, Citrix also addressed two other high-severity vulnerabilities (CVE-2023-3466 and CVE-2023-3467) on the same day.

CVE-2023-3466 allows attackers to launch reflected cross-site scripting (XSS) attacks, while CVE-2023-3467 enables attackers to elevate privileges to obtain root permissions.

CVE-2023-3467 requires authenticated access to the vulnerable appliances’ management interface via their IP (NSIP) or a SubNet IP (SNIP) address, making it more challenging to exploit but still posing a significant risk.

The urgency of the situation prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an order to U.S. federal agencies on 19 July, requiring them to secure Citrix servers on their networks against ongoing attacks by August 9.

CISA also warned that the CVE-2023-3519 vulnerability had already been successfully exploited to breach the systems of a U.S. critical infrastructure organization back in June 2023.

Citrix Netscaler server vulnerability management

“Given the scope and sophistication of this threat actor, Mandiant recommends that organizations rebuild any appliances that have been exploited,” said a threat assessment report by Mandiant.

“The ADC upgrade process overwrites some, but not all, of the directories where threat actors may create web shells, potentially leaving the appliance in a compromised state.”

According to the report, failing to do so may expose their networks to potential remote code execution, data breaches, and unauthorized access, leading to severe consequences for both the affected organizations and their users.

In the event of a compromise detection, organizations must take swift and decisive actions to mitigate the potential risks, said the CISA alert.

Firstly, they should promptly quarantine or take offline any potentially affected hosts to prevent further spread of the compromise. Next, compromised hosts should be reimaged, ensuring that any malicious elements are completely eradicated.

As an additional security measure, new account credentials should be provisioned to ensure unauthorized access is revoked.

To understand the extent of the compromise, organizations should collect and thoroughly review artifacts like running processes/services, unusual authentication attempts, and recent network connections.