CVE 2023-3519 : Citrix ADC / Gateway remote code execution

Le Lab Gatewatcher D

On July 18, 2023, Citrix issued a security warning concerning the Netscaler ADC and Netscaler Gateway products.

The security alert concerned 3 major vulnerabilities:

  • CVE-2023-3467 : privilege escalation (CVSSv3 : 8) 
  • CVE-2023-3466 : Reflected XSS (CVSSv3: 8.3)
  • CVE-2023-3519 (CVSSv3: 9.8) : the one we’re interested in today in this bulletin, taking the form of unauthenticated arbitrary code execution. Today, this CVE is, according to the vendor, an actively exploited vulnerability.

The following versions are affected:

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-55.297
  • NetScaler ADC 12.1-NDcPP before 12.1-55.297

Although the vulnerability cannot be exploited with a default configuration, the only prerequisite is that the device be configured as a Gateway (VPN, RDP, …) or AAA virtual server.

 

A direct access to protected ressources

Netscaler ADC and Gateway products were originally designed to protect and optimize access to various applications, including those from the Internet. Just like firewalls, this makes them prime targets, since they enable attackers to gain direct access to protected resources from the very equipment they are supposed to be protecting. In this way, their efforts to gain access are not in vain and, on the contrary, enable them to limit the risks of detection.

NetScaler ADC and NetScaler Gateway version 12.1 is no longer supported but vulnerable. There will be no patches for this version.

 

Technical details of the attack

However, few technical details are available concerning this vulnerability. It would appear that an exploit has been available since the beginning of the month on certain alternative forums, but to date there is no public evidence to ensure reliable detection.

Since the alert was published, various searches have been carried out. A publication from CISA provides a clearer picture through a few elements of detection. The attack chains are as follows

  • the initial exploit would include a tarball containing a minimal webshell, a recognition script and a setuid binary (which could be landed with the rights of the binary’s owner rather than those of the user)
  • Active Directory recognition using connection information configured in NetScaler products
  • compression and encryption of collected information
  • provision of this encrypted archive as an image
  • attempt recognition on the subnet via curl or SMB in order to move laterally
  • external connectivity tests.

How to detect the exploitation of this vulnerability ?

To date, the lack of official information means that we can only guess at the source of this vulnerability.

Among the publications available, researchers carried out a “patchdiff”, i.e. a comparison between a vulnerable version and a corrected version. Their conclusion was that the vulnerability required the activation of SAML. A second team of researchers, however, indicated that a Stack Overflow-type vulnerability had been discovered, requiring only the configuration of the equipment as a “Gateway” or “AAA virtual server”.

So far, the solution remains unclear. There is very little information available to detect an exploit. The only published IoCs are two IPs:

  • 216.41.162.172
  • 216.51.171.17

While waiting for more information on the vulnerability itself, you can still use post-exploitation actions to detect it. For example, use :

  • the rule 2013028 detecting the use of curl
  • a rule detecting data exfiltration as an image : alert http <IPs Citrix> any -> any any (msg:”GW LAB Possible exiltration attempt as png“; filemagic:”gzip compressed data“; flow:established,to_client; fileext:”png“; sid:1000001; rev:1; ) 
  • the rule 2046885 (ET WEB_SPECIFIC_APPS Citrix/Netscaler ADC and NetScaler Gateway RCE Attempt CVE-2023-3519 ) detecting an exploitation attempt.

There are also detection scripts based on the HTTP headers provided (such as CERT de Deutsche Telekom) to identify potential vulnerable instances.

CISA cybersecurity advisory also lists various indicators that can be checked directly on the equipment to determine whether it has been compromised.

 

It is important to note that applying the vendor’s security patches only prevents future exploitation attempts. If the equipment has already been compromised, this will not solve the problem.

 

Author : Purple Team Gatewatcher 

Ressources