DIVD-2023-00030 - Citrix systems vulnerable for CVE-2023-3519

Summary

Citrix has released a security bulletin notifying of three vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway products. One of these vulnerabilities tracked as CVE-2023-3519 is an unauthenticated remote code execution vulnerability. This would allow an attack to execute arbitrary commands on a vulnerable exposed Citrix NetScaler ADC or Gateway. This is a critical vulnerability, and Citrix urges recommends patching vulnerable systems.

Building upon the earlier notifications of vulnerable Citrix systems, Fox-IT / NCC Group shared data of vulnerable systems that DIVD will notify. The scanning method is published in the following blog post.

CVE-2023-3519 - Unauthenticated remote code execution

This vulnerability will allow an attacker to execute arbitrary code on your appliance which could result in the appliance being taken over remotely by an attacker if it is “operating as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server”.

What you can do

If your Citrix server hasn’t been updated to a secure version, we strongly advise you to patch it, especially if you’re utilizing any of the following features:

• SSL VPN
• ICA Proxy
• CVPN
• RDP Proxy
• AAA virtual server

If you are not using one of these servers we still recommend that you patch to a non-vulnerable version to prevent that your appliance becomes vulnerable when you start using one of these functions in the future.

What we are doing

Fox-IT / NCC Group has shared data of vulnerable systems. DIVD will notify owners of vulnerable systems.

Timeline

More information

• Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467
• Fox-IT blogpost by Yun Hu