Skip to the content.

DIVD-2023-00030 - Citrix systems vulnerable for CVE-2023-3519

Our reference DIVD-2023-00030
Case lead Lennaert Oudshoorn
Researcher(s)
  • Yun Hu (Fox-IT)
  • Max Groot (Fox-IT)
CVE(s)
Products
  • Citrix ADC
  • Citrix Gateway
Versions
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-55.297
  • NetScaler ADC 12.1-NDcPP before 12.1-55.297
  • NetScaler ADC and NetScaler Gateway version 12.1 is End Of Life (EOL) and is vulnerable.
Recommendation Update your system to the latest patched version
Patch status Fully patched
Status Open
Last modified 11 Aug 2023 09:26

Summary

Citrix has released a security bulletin notifying of three vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway products. One of these vulnerabilities tracked as CVE-2023-3519 is an unauthenticated remote code execution vulnerability. This would allow an attack to execute arbitrary commands on a vulnerable exposed Citrix NetScaler ADC or Gateway. This is a critical vulnerability, and Citrix urges recommends patching vulnerable systems.

Building upon the earlier notifications of vulnerable Citrix systems, Fox-IT / NCC Group shared data of vulnerable systems that DIVD will notify. The scanning method is published in the following blog post.

CVE-2023-3519 - Unauthenticated remote code execution

This vulnerability will allow an attacker to execute arbitrary code on your appliance which could result in the appliance being taken over remotely by an attacker if it is “operating as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server”.

What you can do

If your Citrix server hasn’t been updated to a secure version, we strongly advise you to patch it, especially if you’re utilizing any of the following features:

If you are not using one of these servers we still recommend that you patch to a non-vulnerable version to prevent that your appliance becomes vulnerable when you start using one of these functions in the future.

What we are doing

Fox-IT / NCC Group has shared data of vulnerable systems. DIVD will notify owners of vulnerable systems.

Timeline

Date Description
18 Jul 2023 Citrix releases a security bulletin for CVE-2023-3519, CVE-2023-3467 and CVE-2023-3466
19 Jul 2023 DIVD starts notifying owners of vulnerable systems
gantt title DIVD-2023-00030 - Citrix systems vulnerable for CVE-2023-3519 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00030 - Citrix systems vulnerable for CVE-2023-3519 (still open) :2023-07-18, 2024-03-04 section Events Citrix releases a security bulletin for CVE-2023-3519, CVE-2023-3467 and CVE-2023-3466 : milestone, 2023-07-18, 0d DIVD starts notifying owners of vulnerable systems : milestone, 2023-07-19, 0d

More information