Citrix warns of actively exploited zero-day in ADC and Gateway

Citrix is warning customers of an actively exploited critical vulnerability in NetScaler Application Delivery Controller (ADC) and Gateway.

Citrix is warning customers of a critical vulnerability, tracked as CVE-2023-3519 (CVSS score: 9.8), in NetScaler Application Delivery Controller (ADC) and Gateway that is being actively exploited in the wild.

The vulnerability

Tracked as CVE-2023-3519 (CVSS score: 9.8), the vulnerability is a code injection that could result in unauthenticated remote code execution. The IT giant warns of the availability of exploits for this vulnerability that have been observed in attacks against unmitigated appliances. The company added that successful exploitation requires that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

“Exploits of CVE-2023-3519 on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.” reads the report published by Citrix.

The Citrix Cloud Software Group is strongly urging affected customers to install the relevant updated versions as soon as possible. 

Below is the list of the impacted versions:

NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases

NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0  

NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS  

NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS  

NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP 
The advisory states that NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerability. 

Citrix has yet to reveal technical details on the attacks.

NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13

NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)

NetScaler ADC 13.1-FIPS before 13.1-37.159

NetScaler ADC 12.1-FIPS before 12.1-55.297, and

NetScaler ADC 12.1-NDcPP before 12.1-55.297
The company also addressed a Reflected Cross-Site Scripting (XSS) vulnerability tracked as CVE-2023-3466 (CVSS score: 8.3) and a Privilege Escalation to root administrator (nsroot) vulnerability tracked as CVE-2023-3467 (CVSS score: 8.0).

The issues were discovered by Wouter Rijkbost and Jorren Geurts of Resillion.

The company addressed al the issues with the release of the following versions:

NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases

NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0  

NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS  

NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS  

NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP 
Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Citrix)
The post Citrix warns of actively exploited zero-day in ADC and Gateway appeared first on Security Affairs.