DIVD-2023-00030 - Citrix systems vulnerable for CVE-2023-3519
|Case lead||Lennaert Oudshoorn|
|Recommendation||Update your system to the latest patched version|
|Patch status||Fully patched|
|Last modified||11 Aug 2023 09:26|
Citrix has released a security bulletin notifying of three vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway products. One of these vulnerabilities tracked as CVE-2023-3519 is an unauthenticated remote code execution vulnerability. This would allow an attack to execute arbitrary commands on a vulnerable exposed Citrix NetScaler ADC or Gateway. This is a critical vulnerability, and Citrix urges recommends patching vulnerable systems.
Building upon the earlier notifications of vulnerable Citrix systems, Fox-IT / NCC Group shared data of vulnerable systems that DIVD will notify. The scanning method is published in the following blog post.
CVE-2023-3519 - Unauthenticated remote code execution
This vulnerability will allow an attacker to execute arbitrary code on your appliance which could result in the appliance being taken over remotely by an attacker if it is “operating as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server”.
What you can do
If your Citrix server hasn’t been updated to a secure version, we strongly advise you to patch it, especially if you’re utilizing any of the following features:
- SSL VPN
- ICA Proxy
- RDP Proxy
- AAA virtual server
If you are not using one of these servers we still recommend that you patch to a non-vulnerable version to prevent that your appliance becomes vulnerable when you start using one of these functions in the future.
What we are doing
Fox-IT / NCC Group has shared data of vulnerable systems. DIVD will notify owners of vulnerable systems.
|18 Jul 2023||Citrix releases a security bulletin for CVE-2023-3519, CVE-2023-3467 and CVE-2023-3466|
|19 Jul 2023||DIVD starts notifying owners of vulnerable systems|
- Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467
- Fox-IT blogpost by Yun Hu