JPCERT-AT-2023-0013
JPCERT/CC
2023-07-19(Initial)
2023-10-11(Update)
Citrix
Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467
https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
Among these vulnerabilities, Citrix is aware of exploits of the remote code execution vulnerability (CVE-2023-3519). The users of the affected products are recommended to take actions such as applying updates according to the information provided by Citrix.
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
According to Citrix, NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable. Users are recommended to upgrade to one of the supported versions that address the vulnerabilities.
Pre-requisites for the vulnerabilities vary. As for the remote code execution vulnerability (CVE-2023-3519), appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server to be affected.
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
The DETECTION METHODS introduces methods and command examples to investigate the indication of possible compromise by checking the status of files and logs.
CISA
Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a
On August 14, 2023 (local time), Mandiant published a blog about activity exploiting the vulnerability (CVE-2023-3519), releasing a tool to help organizations scan the appliances for evidence of post-exploitation activity related to CVE-2023-3519. It is recommended to investigate in addition to implementing the countermeasures.
Mandiant
Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519)
https://www.mandiant.com/resources/blog/citrix-adc-vulnerability-ioc-scanner
Fox-IT
Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign
https://blog.fox-it.com/2023/08/15/approximately-2000-citrix-netscalers-backdoored-in-mass-exploitation-campaign/
Bleeping Computer
New critical Citrix ADC and Gateway flaw exploited as zero-day
https://www.bleepingcomputer.com/news/security/new-critical-citrix-adc-and-gateway-flaw-exploited-as-zero-day/
If you have any information regarding this alert, please contact JPCERT/CC.
2023-07-21 Updated "IV. Related Information"
2023-08-16 Added information to "IV. Related Information"
2023-10-11 Added "V. Attacks exploiting the vulnerability", and minor change to the layouts of this alert
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/
JPCERT/CC
2023-07-19(Initial)
2023-10-11(Update)
I. Overview
On July 18, 2023 (local time), Citrix released information regarding multiple vulnerabilities in Citrix NetScaler ADC (Citrix ADC)and NetScaler Gateway (Citrix Gateway). An unauthenticated, remote attacker exploiting the vulnerability may execute arbitrary code.Citrix
Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467
https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
Among these vulnerabilities, Citrix is aware of exploits of the remote code execution vulnerability (CVE-2023-3519). The users of the affected products are recommended to take actions such as applying updates according to the information provided by Citrix.
II. Affected Products
The following products and versions are affected by this vulnerability.- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
According to Citrix, NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable. Users are recommended to upgrade to one of the supported versions that address the vulnerabilities.
Pre-requisites for the vulnerabilities vary. As for the remote code execution vulnerability (CVE-2023-3519), appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server to be affected.
III. Solution
Citrix has provided versions that addressed the vulnerabilities. Please consider updating to the versions by referring to the information provided by Citrix.- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
IV. Related Information
On July 20, 2023 (local time), CISA released an alert regarding an attack that had exploited the vulnerability (CVE-2023-3519).In June 2023, threat actors exploited this vulnerability to drop a webshell, leading to view NetScaler configuration files and collect then exfiltrate AD data.The DETECTION METHODS introduces methods and command examples to investigate the indication of possible compromise by checking the status of files and logs.
CISA
Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a
On August 14, 2023 (local time), Mandiant published a blog about activity exploiting the vulnerability (CVE-2023-3519), releasing a tool to help organizations scan the appliances for evidence of post-exploitation activity related to CVE-2023-3519. It is recommended to investigate in addition to implementing the countermeasures.
Mandiant
Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519)
https://www.mandiant.com/resources/blog/citrix-adc-vulnerability-ioc-scanner
V. Attacks exploiting the vulnerability
On August 15, 2023 (local time), Fox-IT released information on attacks exploiting this vulnerability, pointing out that there are cases where the backdoor remains even on systems with patches applied.Regardless of when the patch is applied, it is recommended toinvestigate to determine if the vulnerability has been exploited.Fox-IT
Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign
https://blog.fox-it.com/2023/08/15/approximately-2000-citrix-netscalers-backdoored-in-mass-exploitation-campaign/
Update: October 11, 2023 Update
On October 6, 2023 (local time), IBM X-Force released information regarding a campaign where attackers were exploiting the vulnerability to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials.
IBM X-Force
X-Force uncovers global NetScaler Gateway credential harvesting campaign
https://securityintelligence.com/posts/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/
Since August, JPCERT/CC has been contacting host administrators to provide information on hosts in Japan that may have been victims of attacks that exploited the vulnerability. Users of the product who are yet to implement countermeasures and investigation regarding this vulnerability are recommended to do so as soon as possible.
IBM X-Force
X-Force uncovers global NetScaler Gateway credential harvesting campaign
https://securityintelligence.com/posts/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/
Since August, JPCERT/CC has been contacting host administrators to provide information on hosts in Japan that may have been victims of attacks that exploited the vulnerability. Users of the product who are yet to implement countermeasures and investigation regarding this vulnerability are recommended to do so as soon as possible.
VI. References
Bleeping Computer
New critical Citrix ADC and Gateway flaw exploited as zero-day
https://www.bleepingcomputer.com/news/security/new-critical-citrix-adc-and-gateway-flaw-exploited-as-zero-day/
If you have any information regarding this alert, please contact JPCERT/CC.
Revision History
2023-07-19 First edition2023-07-21 Updated "IV. Related Information"
2023-08-16 Added information to "IV. Related Information"
2023-10-11 Added "V. Attacks exploiting the vulnerability", and minor change to the layouts of this alert
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/
