NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
NopSec_Resource_JustInTime_Generic_1
Just in Time

Just in Time Bulletin: CVE-2023-3519 Citrix NetScaler Gateway and ADC RCE

Jul 25, 2023

What is CVE-2022-3519? 

Researchers have discovered that Citrix NetScaler Gateway and ADC are prone to unauthenticated remote command execution. The vulnerability is present due to gaps in data validation, which could be exploited to cause a stack based buffer overflow. Citrix ADC and Netscaler Gateway are enterprise products that facilitate remote access and load balancing (among other functions). They are distinct products, but have a significant amount of overlap in functionality and as it turns out – exploitability. 

An analysis of patches released by Citrix revealed changes in the function “ns_aaa_gwtest_get_event_and_target_names,” where additional checks were included when calls were made to “ns_aaa_saml_url_decode.” A review of the call stack revealed that the vulnerable function was called by “ns_aaa_gwtest_get_valid_fsso_server,” which is accessible to unauthenticated threat actors at the endpoint “/gwtest/formssso”. The “formsso” endpoint expects an “event” and “target” value submitted via URL query parameters. Due to a lack of bounds checks on the “target” value it’s possible for an attacker to inject an excessively long value that results in a buffer overflow and crash. Crafted values injected into the target parameter can grant attackers control of the EIP. 

Researchers have successfully weaponized this vulnerability to achieve remote command execution. Citrix NetScaler Gateway and ADC are wildly popular, with nearly 70,000 instances identified in a few simple Shodan queries. Given that unauthenticated actors can exploit this vulnerability and the prevalence of the Citrix products it is certain that mass exploitation is well underway. Patch yesterday or risk compromise.

How bad is this?

Active exploitation today: Actively exploited in the wild prior to patch availability.

CVE CVSSv3 Score
CVE-2023-3519 9.8


Severity: Critical

  • Credentials are NOT required
  • Exploited in the wild
  • Low level of complexity
  • Abundance of targets

How is it exploited? 

Exploitation can be accomplished with a crafted request to the vulnerable endpoint. Appliances not configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server are not exploitable.

How do I protect myself?

Citrix has released a cumulative security patch to address CVE-2023-3519.

Affected Version
  • NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0  
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS  
  • NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS  
  • NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Mitigating Factors?

Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

Additional Resources About CVE-2022-3519