Warning: Netscaler Unauthenticated Remote Code Execution vulnerability
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
NetScaler ADC 13.1-FIPS before 13.1-37.159
NetScaler ADC 12.1-FIPS before 12.1-55.297
NetScaler ADC 12.1-NDcPP before 12.1-55.297
Reflected Cross-Site Scripting (XSS) - Elevation of Privileges (EoP) - Remote Code Execution (RCE)
CVE-2023-3466: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H (8.3)
CVE-2023-3467: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.0)
CVE-2023-3519: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8)
Both CVE-2023-3466 and CVE-2023-3467 require authenticated access to the NetScaler management interface. Successful exploitation results in reflected Cross-Site Scripting (XSS) for CVE-2023-3466 or administrator access for CVE-2023-3467.
Successful exploitation of CVE-2023-3519 allows an unauthenticated remote attacker to execute code on a vulnerable device. A proof of concept (PoC) exploit is available and the vendor indicates CVE-2023-3519 is exploited in the wild.
This advisory only applies to customer-managed NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.
Exploitation of CVE-2023-3466 requires a victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NetScaler management IP address (NSIP). This results in reflected Cross-Site Scripting (XSS): injection of attacker controlled code in the NetScaler web management pages.
Exploitation of CVE-2023-3467 requires authenticated access to the NetScaler management IP address (NSIP) or to a NetScaler subnet IP (SNIP) with management interface access. Successful exploitation of this CVE results in root administrator (nsroot) privileges.
If the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server, it might be vulnerable to CVE-2023-3519. Successful exploitation of CVE-2023-3519 allows an unauthenticated remote attacker to execute code on a vulnerable device. No proof of concept (PoC) exploit is available yet, but the vendor indicates CVE-2023-3519 is exploited in the wild.
Since CVE-2023-3519 is actively exploited, the Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions in order to mitigate the impact of this vulnerability in the most efficient way.
Please upgrade to the vendor recommended version (or higher) after thorough testing and keep an eye out for future security bulletins.
NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
NetScaler ADC and NetScaler Gateway version 12.1 is End Of Life (EOL). Please upgrade to one of the supported versions that addresses the vulnerabilities.
The CCB recommends organisations to upscale monitoring and detection capabilities and to detect any related suspicious activity, ensuring a fast response in case of an intrusion.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise. When applying patches to systems that have been vulnerable to an RCE exploit, a proactive threat assessment should be performed to verify no exploitation occurred prior to patching.