Just in Time Bulletin: CVE-2023-3519 Citrix NetScaler Gateway and ADC RCE
What is CVE-2022-3519?
Researchers have discovered that Citrix NetScaler Gateway and ADC are prone to unauthenticated remote command execution. The vulnerability is present due to gaps in data validation, which could be exploited to cause a stack based buffer overflow. Citrix ADC and Netscaler Gateway are enterprise products that facilitate remote access and load balancing (among other functions). They are distinct products, but have a significant amount of overlap in functionality and as it turns out – exploitability.
An analysis of patches released by Citrix revealed changes in the function “ns_aaa_gwtest_get_event_and_target_names,” where additional checks were included when calls were made to “ns_aaa_saml_url_decode.” A review of the call stack revealed that the vulnerable function was called by “ns_aaa_gwtest_get_valid_fsso_server,” which is accessible to unauthenticated threat actors at the endpoint “/gwtest/formssso”. The “formsso” endpoint expects an “event” and “target” value submitted via URL query parameters. Due to a lack of bounds checks on the “target” value it’s possible for an attacker to inject an excessively long value that results in a buffer overflow and crash. Crafted values injected into the target parameter can grant attackers control of the EIP.
Researchers have successfully weaponized this vulnerability to achieve remote command execution. Citrix NetScaler Gateway and ADC are wildly popular, with nearly 70,000 instances identified in a few simple Shodan queries. Given that unauthenticated actors can exploit this vulnerability and the prevalence of the Citrix products it is certain that mass exploitation is well underway. Patch yesterday or risk compromise.
How bad is this?
Active exploitation today: Actively exploited in the wild prior to patch availability.
- Credentials are NOT required
- Exploited in the wild
- Low level of complexity
- Abundance of targets
How is it exploited?
Exploitation can be accomplished with a crafted request to the vulnerable endpoint. Appliances not configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server are not exploitable.
How do I protect myself?
Citrix has released a cumulative security patch to address CVE-2023-3519.
Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.
Additional Resources About CVE-2022-3519