JPCERT-AT-2023-0013 JPCERT/CC 2023-07-19(Initial) 2023-10-11(Update) <<< JPCERT/CC Alert 2023-07-19 >>> Alert Regarding Vulnerability (CVE-2023-3519) in Citrix ADC and Citrix Gateway https://www.jpcert.or.jp/english/at/2023/at230013.html I. Overview On July 18, 2023 (local time), Citrix released information regarding multiple vulnerabilities in Citrix NetScaler ADC (Citrix ADC) and NetScaler Gateway (Citrix Gateway). An unauthenticated, remote attacker exploiting the vulnerability may execute arbitrary code. Citrix Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467 https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467 Among these vulnerabilities, Citrix is aware of exploits of the remote code execution vulnerability (CVE-2023-3519). The users of the affected products are recommended to take actions such as applying updates according to the information provided by Citrix. II. Affected Products The following products and versions are affected by this vulnerability. - NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 - NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 - NetScaler ADC 13.1-FIPS before 13.1-37.159 - NetScaler ADC 12.1-FIPS before 12.1-55.297 - NetScaler ADC 12.1-NDcPP before 12.1-55.297 According to Citrix, NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable. Users are recommended to upgrade to one of the supported versions that address the vulnerabilities. Pre-requisites for the vulnerabilities vary. As for the remote code execution vulnerability (CVE-2023-3519), appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server to be affected. III. Solution Citrix has provided versions that addressed the vulnerabilities. Please consider updating to the versions by referring to the information provided by Citrix. - NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases - NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0 - NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS - NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS - NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP IV. Related Information On July 20, 2023 (local time), CISA released an alert regarding an attack that had exploited the vulnerability (CVE-2023-3519). In June 2023, threat actors exploited this vulnerability to drop a webshell, leading to view NetScaler configuration files and collect then exfiltrate AD data. The DETECTION METHODS introduces methods and command examples to investigate the indication of possible compromise by checking the status of files and logs. CISA Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a On August 14, 2023 (local time), Mandiant published a blog about activity exploiting the vulnerability (CVE-2023-3519), releasing a tool to help organizations scan the appliances for evidence of post-exploitation activity related to CVE-2023-3519. It is recommended to investigate in addition to implementing the countermeasures. Mandiant Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519) https://www.mandiant.com/resources/blog/citrix-adc-vulnerability-ioc-scanner V. Attacks exploiting the vulnerability On August 15, 2023 (local time), Fox-IT released information on attacks exploiting this vulnerability, pointing out that there are cases where the backdoor remains even on systems with patches applied. Regardless of when the patch is applied, it is recommended toinvestigate to determine if the vulnerability has been exploited. Fox-IT Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign https://blog.fox-it.com/2023/08/15/approximately-2000-citrix-netscalers-backdoored-in-mass-exploitation-campaign/ ** Update: October 11, 2023 Update ********************************** On October 6, 2023 (local time), IBM X-Force released information regarding a campaign where attackers were exploiting the vulnerability to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. IBM X-Force X-Force uncovers global NetScaler Gateway credential harvesting campaign https://securityintelligence.com/posts/x-force-uncovers-global-netscaler-gateway-credential-harvesting-campaign/ Since August, JPCERT/CC has been contacting host administrators to provide information on hosts in Japan that may have been victims of attacks that exploited the vulnerability. Users of the product who are yet to implement countermeasures and investigation regarding this vulnerability are recommended to do so as soon as possible. ********************************************************************* VI. References Bleeping Computer New critical Citrix ADC and Gateway flaw exploited as zero-day https://www.bleepingcomputer.com/news/security/new-critical-citrix-adc-and-gateway-flaw-exploited-as-zero-day/ If you have any information regarding this alert, please contact JPCERT/CC. ________ Revision History 2023-07-19 First edition 2023-07-21 Updated "IV. Related Information" 2023-08-16 Added information to "IV. Related Information" 2023-10-11 Added "V. Attacks exploiting the vulnerability", and minor change to the layouts of this alert ====================================================================== JPCERT Coordination Center (Early Warning Group) MAIL: ew-info@jpcert.or.jp https://www.jpcert.or.jp/english/