On July 18, Citrix published a security bulletin (CTX561482) that addresses a critical remote code execution (RCE) vulnerability in Netscaler ADC (formerly known as Citrix ADC) and Netscaler Gateway (formerly known as Citrix Gateway).

In addition to CVE-2023-3519, Citrix patched two additional vulnerabilities in its ADC and Gateway appliances:

Tracked as CVE-2023-3519 (CVSS score: 9.8), the issue relates to a case of code injection that could result in unauthenticated remote code execution. It impacts the following versions –

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297, and
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

CVE-2023-3519 Added to CISA KEV Catalog#

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added the Citrix remote code execution flaw to its Known Exploited Vulnerabilities (KEV) catalogue based on evidence of exploit.

How many systems are exposed to Citrix RCE CVE-2023-3519

Currently, in Shodan, there are 48K + servers, but this is just the initial approach 

As of 23 July 2023 Shadow server’s foundation count, there are 5.7K vulnerable citrix systems in the USA alone and 1K in the united kingdom, but the count could be much higher.

Europe Citrix vulnerable Servers

Timeline and indicator of compromise for CVE-2023-3519 Update on Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a

The attack shows exploitation on 7th of july 11 days in advance of the notification

Citrix Gateway VPN compromised via CVE-2023-3519 (a critical unauthenticated RCE) shows evidence of exploitation on 7th July, 11 days before the official patch.

The attackers exfiltrated the system configuration file to then probably use the Metasploit module called… pic.twitter.com/vZuXdKsQ3r

— Germán Fernández (@1ZRR4H) July 23, 2023

The attackers exfiltrated the system configuration file to then probably use the Metasploit module called “citrix_netscaler_config_decrypt” and gain access as the user “nsroot” (full system access), other important secrets about the network and internal users are leaked. 

Bleeping computer reports the threat actor having access to the vulnerability since beginning of july

The CVE-2023-3519 RCE zero-day was likely available online since the first week of July when a threat actor began advertising Citrix ADC zero-day flaw on a hacker forum.

Currently from traces of CITRIX CVE-2023-3519 from virus total threat intel:

https://www.virustotal.com/gui/file/293fe23849cffb460e8d28691c640a5292fd4649b0f94a019b45cc586be83fd9 

How to detect if the patch has been applied to your citrix netscaler

The mr-r3boot researcher has recently published a script to identify the Citrix vulnerability

Last nights run!! 40 percent likely not patched #citrix #netscaler pic.twitter.com/J9IdDSpMQc

— mRr3b00t (@UK_Daniel_Card) July 23, 2023

https://github.com/mr-r3b00t/CVE-2023-3519

Citrix Indicator of compromise

Since its exploitation has been seen in the wild, certain indicators of compromise have been published to help auditors and threat hunters detect previous intrusions:

• Origin IP addresses:
  • 216.41.162.172
  • 216.51.171.17

DETECTION METHODS for CITRIX RCE from CISA

Run the following victim-created checks on the ADC shell interface to check for signs of compromise:

1. Check for files newer than the last installation.
2. Modify the -newermt parameter with the date that corresponds to your last installation:
   • find /netscaler/ns_gui/ -type f -name *.php -newermt [YYYYMMDD] -exec ls -l {} \;
   • find /var/vpn/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
   • find /var/netscaler/logon/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
   • find /var/python/ -type f -newermt [YYYYMMDD] -exec ls -l {} \;
3. Check http error logs for abnormalities that may be from initial exploit:
   • grep ‘\.sh’ /var/log/httperror.log*
   • grep ‘\.php’ /var/log/httperror.log*
4. Check shell logs for unusual post-ex commands, for example:
   • grep ‘/flash/nsconfig/keys’ /var/log/sh.log*
5. Look for setuid binaries dropped:
   • find /var -perm -4000 -user root -not -path “/var/nslog/*” -newermt [YYYYMMDD] -exec ls -l {} \;
6. Review network and firewall logs for subnet-wide scanning of HTTP/HTTPS/SMB (80/443/445) originating from the ADC.
7. Review DNS logs for unexpected spike in internal network computer name lookup originating from the ADC (this may indicate the threat actor resolving host post-AD enumeration of computer objects).
8. Review network/firewall logs for unexpected spikes in AD/LDAP/LDAPS traffic originating from the ADC (this may indicate AD/LDAP enumeration).
9. Review number of connections/sessions from NetScaler ADC per IP address for excessive connection attempts from a single IP (this may indicate the threat actor interacting with the webshell).
10. Pay attention to larger outbound transfers from the ADC over a short period of session time as it can be indicative of data exfiltration.
11. Review AD logs for logon activities originating from the ADC IP with the account configured for AD connection. 
12. If logon restriction is configured for the AD account, check event 4625 where the failure reason is “User not allowed to logon at this computer.”
13. Review NetScaler ADC internal logs (sh.log*, bash.log*) for traces of potential malicious activity (some example keywords for grep are provided below):
    • database.php
    • ns_gui/vpn
    • /flash/nsconfig/keys/updated 
    • LDAPTLS_REQCERT 
    • ldapsearch 
    • openssl + salt
14. Review NetScaler ADC internal access logs (httpaccess-vpn.log*) for 200 successful access of unknown web resources.

Further details on CISA website

Previous Issues of Vulnerability Weekly

• Movit Transfer Zellis Data Breach
• Latest Security Vulnerability of the Week 24/10/22 
• Security Vulnerability of the Week 3/10/22 – Application Security – Cloud – Vulnerability – Exchange Zero Day & Mitigations, bitbucket, cobalt stike
• Security Vulnerability of the Week 12/09/22 – Application Security – Cloud Security – Linux Malware, Windows patched 64 vulns with zero-day, Uber Hack Timeline, GTA 6/Rockstar Hack – This week we deep dive into Linux Malware, Windows patched 64 vuln with zero day, Uber Hack Timeline, GTA 6/Rockstar Hack
• Security Vulnerability of the Week 12/09/22 – Application Security – Uber Hack Timeline – Special Focus on Uber latest news on hack