Citrix ADC Vulnerability

This live blog contains information regarding a vulnerability in Citrix ADC. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on July 27, 2023.

Update 27 July 2023

14:00 | Our partner Nextron has published a blog describing step-by-step how to use their THOR APT scanner to identify potential exploitation of CVE-2023-3519 on your vulnerable Citrix ADC or Gateway appliance. This blog leverages the THOR Lite scanner and explains how the scan can be performed.

T-CERT can perform an even more thorough scan for you by using the full version of the THOR APT scanner. In addition, we will interpret the scan results and supply you with an advice.

The blog published by Nextron ca be found here.

If you prefer our assistance, please contact T-CERT via [email protected]. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In case of an emergency, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 21 July 2023

13:00 | The Cybersecurity and Infrastructure Security Agency (CISA) has released a blog regarding CVE-2023-3519, providing information on the background of the vulnerability and the exploitation in the wild.

Installing the software patches is still the top priority. Once finished, we recommend to take a look at the section “Detection Methods” of the blog. The blog can be found here.

Additionally, Deutsche Telekom has released a Python script to determine the running software version of a Citrix solution, based on the “Last-modified” timestamp in the HTTP headers. This is a method to scan for potential vulnerable appliances but should not be the only method for verification. The script can be found here.

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 19 July 2023

18:00 | Citrix has updated their security bulletin and changed the impacted version of the ADC 12.1 branch. The impacted 12.1 FIPS and NDcPP builds are:

• NetScaler ADC 12.1-FIPS before 12.1-55.297
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

Additionally, two IP addresses likely related to the exploitation of CVE-2023-3519 are published. These IP addresses can be used to check firewall or other network security logging:

• 216.41.162[.]172
• 216.51.171[.]17

Citrix consultancy firm Deyda.net has written a blog describing some generic steps to identify possible exploitation of a Citrix appliance. These steps are not specific for CVE-2023-3519, as details regarding exploitation are not publicly available. The blog can be found here.

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 18 July 2023

18:00 | On the 18^th of July, Citrix has released a security bulletin describing three vulnerabilities. The most severe vulnerability is an unauthenticated remote code execution in Citrix ADC and Citrix Gateway, registered as CVE-2023-3519. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the appliance.

Exploits of CVE-2023-3519 have been observed in the wild. Citrix has released software updates. It is highly recommended to apply these security patches as soon as possible.