Governance & Risk Management , Patch Management , Vulnerability Assessment & Penetration Testing (VA/PT)

Security Agencies Urge Users to Patch Citrix Zero-Day Flaw

Vulnerable Citrix Appliances Used in Healthcare Sector; Exploits Seen in the Wild
Security Agencies Urge Users to Patch Citrix Zero-Day Flaw
Image: Shutterstock

Top U.S. and Australian cybersecurity agencies strongly urged users to patch a critical zero-day flaw in Citrix Application Delivery Controller and Gateway appliances.

See Also: Offensive Security: Lose That Loser's Mindset

The bug, tracked as CVE-2023-3519, has a 9.8 CVSS score and gives RCE privileges to unauthenticated attackers. Citrix said the vulnerability is being actively exploited by unnamed threat actors in the wild.

The Citrix appliances are used in the healthcare sector for remote access and balancing network demands on applications such as electronic health records. Citrix did not say how many devices have been affected by the zero-day bug but "this product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly," said cybersecurity firm Rapid7.

The U.S. Cybersecurity and Infrastructure Security Agency encouraged users and administrators to review the Citrix security bulletin and apply the necessary updates.

The Australian Cyber Security Center also strongly urged users to review the mitigations, saying, "There is significant exposure to this Citrix NetScaler ADC and NetScaler Gateway vulnerability in Australia," and that any future exploitation of it would have a significant effect on Australian systems and networks.

The prerequisite for exploitation of the flaw is that the vulnerable appliance must be configured as a gateway - either as a VPN virtual server, ICA Proxy, CVPN or RDP Proxy - or as an authentication virtual server, such as an AAA server, Citrix said in its security bulletin.

The company released fixes for the issue in the following versions:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases;
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0;
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS;
  • NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS;
  • NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP.

There are no fixes available for NetScaler ADC and NetScaler Gateway version 12.1 as they have reached the end-of-life stage, Citrix said. It recommends that customers using these products upgrade to a newer version of the product for mitigation.

More Highly Rated Vulnerabilities

Citrix also fixed two other highly rated vulnerabilities:

  • CVE-2023-3466: This cross-site scripting vulnerability with a CVSS score of 8.3 can be exploited if the victim accesses an attacker-controlled link in a browser while being on a network with connectivity to the NetScaler IP.
  • CVE-2023-3467: This improper privilege management vulnerability with a CVSS score of 8.0 results in privilege escalation to the root administrator - nsroot. For successful exploitation, the attacker needs to have authenticated access to NSIP or SNIP with management interface access.

Customers should prioritize patching these bugs as Citrix appliances have been a lucrative target, especially for nation-state hackers. In December 2022, Citrix disclosed that networking appliances used to assure the availability of clinical applications and a virtual private network contained flaws that had been under active exploitation by Chinese state-sponsored hackers at the time (see: Chinese Hackers Exploit Citrix Vulnerabilities).

In January, researchers uncovered thousands of Citrix ADC and Gateway servers that were vulnerable to two critical flaws, one of which was being actively exploited by Chinese nation-state hackers, the U.S. National Security Agency warned (see: Flaws in Citrix Servers; Netgear Issues Critical Advisory).

"Due to the historical nature of exploitation against ADC and Gateway appliances, we strongly urge organizations to patch CVE-2023-3519 as soon as possible," cybersecurity provider Tenable said.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.