Citrix has issued a critical security advisory for users of its NetScaler ADC and NetScaler Gateway (formerly known as Citrix ADC and Citrix Gateway). The company has identified a zero-day vulnerability that is currently being exploited by malicious actors.
It’s important for users of Citrix’s customer-managed appliances to patch their systems as soon as possible. However, it’s worth noting that this vulnerability does not affect Citrix-provided cloud services or Adaptive Authentication services.
The most severe vulnerability, identified as CVE-2023-3519, allows an unauthenticated attacker to achieve remote code execution. To be susceptible to this exploit, the affected appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server.
Citrix’s advisory mentioned that exploits of CVE-2023-3519 have been observed on appliances that have not been mitigated.
The affected product versions include:
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
Please note that NetScaler ADC and Gateway 12.1 are vulnerable, but they are also considered end-of-life and will not receive patches.
Additionally, there are two other vulnerabilities identified as CVE-2023-3466, a reflected cross-site scripting vulnerability that requires victim interaction for exploitation, and CVE-2023-3467, a privilege escalation bug.
In summary, Citrix users should act promptly to apply the necessary patches and secure their systems against these identified vulnerabilities.
