Table of Contents
15K Citrix Servers Vulnerable to CVE-2023-3519 RCE Attacks: A critical remote code execution (RCE) bug, CVE-2023-3519, has left over 15,000 Citrix Netscaler ADC and Gateway servers vulnerable to potential attacks.
Security researchers from the Shadowserver Foundation reported the exposure of these appliances, urging users to promptly update their systems with the released security patches to prevent exploitation.
Key Takeaways to 15K Citrix Servers Vulnerable to CVE-2023-3519 RCE Attacks:
- Over 15,000 Citrix Netscaler ADC and Gateway servers are at risk of remote code execution attacks due to a critical vulnerability, CVE-2023-3519.
- Security researchers from the Shadowserver Foundation identified the exposed appliances based on version information, urging users to update their systems to prevent potential exploitation.
- Citrix released security updates to address the vulnerability and advised users to install the patches immediately. U.S. federal agencies were also ordered to secure Citrix servers against ongoing attacks by a specific date.
Vulnerability Exploitation and Exposure
The Shadowserver Foundation, dedicated to enhancing internet security, reported that over 15,000 Citrix Netscaler ADC and Gateway, servers are exposed to attacks exploiting a critical RCE vulnerability, CVE-2023-3519.
Citrix removed version hash information in recent revisions, making it easier for the researchers to identify vulnerable instances still providing version hashes.
However, it is believed that the actual number of exposed Citrix servers could be higher due to the absence of version hashes in some revisions.
Citrix’s Response and Patch
Citrix took swift action to address the RCE vulnerability by releasing security updates on July 18th.
The company confirmed the observation of exploits on unmitigated appliances and urgently advised customers to install the patches to secure their systems. Citrix clarified that only unpatched Netscaler appliances configured as gateways or authentication virtual servers would be vulnerable to attacks.
Additional Vulnerabilities Patched
In addition to CVE-2023-3519, Citrix also patched two other high-severity vulnerabilities, CVE-2023-3466 and CVE-2023-3467. The former enables attackers to execute reflected cross-site scripting (XSS) attacks, while the latter allows for privilege elevation to gain root permissions.
However, the impact of the second vulnerability requires authenticated access to the vulnerable appliances’ management interface.
CISA’s Warning and Breach Incident
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to secure their Citrix servers by August 9th, following reports of ongoing attacks.
CISA warned that the vulnerability had already been exploited as a zero-day to compromise a U.S. critical infrastructure organization.
The attackers deployed a web shell on a NetScaler ADC appliance to perform discovery on the victim’s active directory and collect data, attempting lateral movement to a domain controller, which was blocked by network-segmentation controls.
Conclusion
The discovery of the CVE-2023-3519 RCE vulnerability highlights the importance of promptly updating and patching software systems to safeguard against potential cyberattacks. Citrix’s swift response and release of security updates demonstrate their commitment to addressing vulnerabilities.
Users are advised to take immediate action to secure their Citrix servers and prevent potential exploitation by threat actors.