ClickySkip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

Citrix ADC Vulnerability

This live blog contains information regarding a vulnerability in Citrix ADC. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on July 27, 2023.

Update 27 July 2023

14:00 | Our partner Nextron has published a blog describing step-by-step how to use their THOR APT scanner to identify potential exploitation of CVE-2023-3519 on your vulnerable Citrix ADC or Gateway appliance. This blog leverages the THOR Lite scanner and explains how the scan can be performed.

T-CERT can perform an even more thorough scan for you by using the full version of the THOR APT scanner. In addition, we will interpret the scan results and supply you with an advice.

The blog published by Nextron ca be found here.

If you prefer our assistance, please contact T-CERT via [email protected]. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In case of an emergency, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 21 July 2023

13:00 | The Cybersecurity and Infrastructure Security Agency (CISA) has released a blog regarding CVE-2023-3519, providing information on the background of the vulnerability and the exploitation in the wild.

Installing the software patches is still the top priority. Once finished, we recommend to take a look at the section “Detection Methods” of the blog. The blog can be found here.

Additionally, Deutsche Telekom has released a Python script to determine the running software version of a Citrix solution, based on the “Last-modified” timestamp in the HTTP headers. This is a method to scan for potential vulnerable appliances but should not be the only method for verification. The script can be found here.

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 19 July 2023

18:00 | Citrix has updated their security bulletin and changed the impacted version of the ADC 12.1 branch. The impacted 12.1 FIPS and NDcPP builds are:

  • NetScaler ADC 12.1-FIPS before 12.1-55.297
  • NetScaler ADC 12.1-NDcPP before 12.1-55.297

Additionally, two IP addresses likely related to the exploitation of CVE-2023-3519 are published. These IP addresses can be used to check firewall or other network security logging:

  • 216.41.162[.]172
  • 216.51.171[.]17

Citrix consultancy firm Deyda.net has written a blog describing some generic steps to identify possible exploitation of a Citrix appliance. These steps are not specific for CVE-2023-3519, as details regarding exploitation are not publicly available. The blog can be found here.

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Update 18 July 2023

18:00 | On the 18th of July, Citrix has released a security bulletin describing three vulnerabilities. The most severe vulnerability is an unauthenticated remote code execution in Citrix ADC and Citrix Gateway, registered as CVE-2023-3519. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the appliance.

Exploits of CVE-2023-3519 have been observed in the wild. Citrix has released software updates. It is highly recommended to apply these security patches as soon as possible.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Vulnerability information

On the 18th of July, Citrix has released a security bulletin describing three vulnerabilities. The most severe vulnerability is an unauthenticated remote code execution in Citrix ADC and Citrix Gateway, registered as CVE-2023-3519. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the appliance.

Exploits of CVE-2023-3519 have been observed in the wild. Citrix has released software updates. It is highly recommended to apply these security patches as soon as possible.

Potential Risk

The vulnerability CVE-2023-3519 has a CVSS score of 9.8. The CVSS scale runs from 0 to 10. A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact. The CVE-2023-3519 vulnerability is an unauthenticated remote code execution in Citrix ADC and Citrix Gateway and allows an unauthenticated attacker to execute code on the device.

Exploits of CVE-2023-3519 have been observed in the wild. Combined with the exposed character of the affected solutions makes this a very critical vulnerability which must be patched as soon as possible.

Detail info

Citrix ADC or Citrix Gateway solutions configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server are vulnerable.

The following supported versions of NetScaler ADC and NetScaler Gateway are vulnerable:

  • NetScaler ADC and NetScaler Gateway 1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 0 before 13.0-91.13
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-65.36
  • NetScaler ADC 12.1-NDcPP before 12.1-65.36

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable. Customers are strongly recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Security updates are available. Please upgrade to the following version:

  • NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP

If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.

Subscribe

Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.