Citrix has urged its customers to patch NetScaler ADC and Gateway products after discovering a critical-severity zero-day vulnerability.
The flaw tracked as CVE-2023-3519, with a CVSS score of 9.8, is an unauthenticated remote code execution and was observed exploited in the wild.
The vulnerability known to impact the following versions of the NetScaler ADC and Gateway products:
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297, and
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
In order to exploit, the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
Apart from the zero-day, other two more vulnerability impacting Citrix products are patched:
- CVE-2023-3466 with a CVSS score: 8.3 – Enables reflected XSS, which could result in unauthorized execution of malicious scripts. For it to be exploited, threat actors have to trick their target to click a malicious link in the browser. Also, the victim should be on a network with connectivity to the NSIP.
- CVE-2023-3467 with a CVSS score: 8.0 – Enables privilege escalation to the root administrator (nsroot). In this case, authenticated access to NSIP or SNIP with management interface access is required.
Companies should update the aforementioned versions to:
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP
Although NetScaler ADC and NetScaler Gateway version 12.1 are also on the list of affected products, they were not patched. Both have reached the end-of-life stage, consequently, customers are advised to upgrade to a more recent version.