Threat actors actively exploiting critical flaw in NetScaler ADC devices

The US Cybersecurity and Infrastructure Security Agency (CISA) reported last week that attackers are actively exploiting a critical remote code execution vulnerability patched earlier this month in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Researchers believe there are multiple similar vulnerabilities and that over 50% of appliances connected to the internet remain vulnerable.

“By inspecting Citrix's released software images, we know that patched ADC releases were packaged in July 2023,” researchers from security firm Bishop Fox said in a report. “If we search Shodan for that month in the Last-Modified HTTP response header, we can find devices that have been patched. Our analysis shows 53% (32k) of internet-exposed Citrix ADC appliances to be unpatched, and a smaller subset of 35% (21k) to be unpatched and exposing the vulnerable route.”

Multiple remote code execution vulnerabilities

On July 18, Citrix released patches for three vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical one tracked as CVE-2023-3519 that has a CVSS severity score of 9.8 out of 10 and allows for unauthenticated remote code execution when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server.

Citrix acquired NetScaler in 2005 and later changed the name of the popular NetScaler application delivery controller (ADC) to Citrix ADC. Last year, the company decided to bring back the NetScaler brand so Citrix ADC became NetScaler ADC again.

After the patches were released, researchers from security firms Rapid7 and Assetnote independently analyzed them and uncovered the root cause of CVE-2023-3519. Both companies reported that exploitation required SAML to be enabled for exploitation because it stemmed from a memory corruption in the SAML parser.

This didn’t match the description provided by Citrix in the advisory, which made no mention of SAML. Researchers from security firm Bishop Fox then launched their own investigation and found a bug that more closely matched the claim in the Citrix advisory.

“The vulnerability we identified only requires the device to be configured as a gateway or AAA virtual server, and to expose a specific vulnerable route that seems to be enabled by default on some installations, but not others (we're not yet sure what causes this variance),” the Bishop Fox researchers said. “Given the lack of SAML requirement, we believe that this stack overflow is CVE-2023-3519, and the SAML parser bug is a separate vulnerability which was silently patched without an associated advisory.”

Researchers from Assetnote confirmed Monday after additional investigation that there indeed appears to be two separate remote code execution flaws, one that doesn’t require SAML and is likely CVE-2023-3519 and the SAML-dependent one they initially found.

CVE-2023-3519 was zero-day vulnerability

According to a CISA advisory released Thursday, attackers have been exploiting the CVE-2023-3519 flaw since June to deploy webshells on appliances. This means the vulnerability had zero-day status — publicly known and unpatched — for around a month.

According to CISA, the attack was detected on a NetScaler appliance belonging to a critical infrastructure organization and the attackers used the webshell — a web-based backdoor script — to scan the victim’s Active Directory (AD) environment and to exfiltrate data about it.

The attackers subsequently attempted to move laterally to a domain controller on the network but were blocked by network segmentation policies. The attackers also deployed a second PHP-based webshell with proxying capabilities to proxy SMB traffic to the targeted domain controller.”

“The actors deleted the authorization configuration file (/etc/auth.conf)--likely to prevent configured users (e.g., admin) from logging in remotely (e.g., CLI),” CISA said. “To regain access to the ADC appliance, the organization would normally reboot into single use mode, which may have deleted artifacts from the device; however, the victim had an SSH key readily available that allowed them into the appliance without rebooting it.” Bishop Fox worked with the GreyNoise intelligence service, which maintains a network of sensors to track automated exploitation attempts. Since detection was added on July 21, no exploitation attempts were observed by GreyNoise. This doesn’t mean that targeted attacks like the one in June are not happening. Now that more details about the vulnerability are available other attackers might develop exploits and the number of attacks might increase. The fact that 53% of publicly exposed NetScaler ADC appliances have yet to deploy the patches is concerning.

“At Bishop Fox, we want to see our customers keep their most important assets patched in a timely manner, especially those with vulnerabilities that are proven to be exploitable,” the company said. “If you've got a Citrix ADC installation, please follow Citrix's advisory for this issue and upgrade your firmware immediately.”