Critix Servers
The Underlying Threat in Over 15K Citrix Servers

A considerable number of Citrix Netscaler ADC and Gateway servers, revealed on the internet, are susceptible to the hazardous attacks exploiting a critical remote code execution (RCE) bug. The RCE bug was previously manipulated as a zero-day, which exposes them to potential danger.

Shadowserver Foundation: The Investigation Continues

The revelation was made this week by security investigators at Shadowserver Foundation, a non-profit organization working towards fortifying internet security. They found that a minimum of 15,000 appliances have been marked as exposed to such attacks, given their version information. Shadowserver stated that they allocate tags to all IP addresses that reflect a version hash in a Citrix case. This tagging process is crucial since Citrix has eliminated version hash information in its latest revisions.

Shadowserver Foundation’s opinion implies that all instances which still show version hashes have possibly not been updated and therefore may be vulnerable. They further highlighted an undercounting error as some revisions, although known to be vulnerable, have not been added to the total count of exposed Citrix servers due to their lack of version hashes.

Citrix: Patching Up Vulnerabilities

In response to the RCE vulnerability, Citrix issued security updates on July 18th. They confirmed that “exploits of CVE-2023-3519 on unmitigated appliances have been seen” and thus, have advised their customers to implement the patches without delay.

The tech firm clarifies that the unpatch Netscaler appliances would only be vulnerable to attacks if they are set up as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), or an authentication virtual server (referred to as the AAA server).

Cyber Security: A Ongoing Threat

The CVE-2023-3519 RCE zero-day was likely available online since the first week of July. This coincide with the advertisement of a Citrix ADC zero-day flaw on a hacker forum by a threat actor. Tech news outlet, BleepingComputer, confirmed that Citrix had knowledge of the zero-day advertisement and had started developing a patch prior to making an official statement.

In the same stride, Citrix also released patches for two other high-severity vulnerabilities, namely CVE-2023-3466 and CVE-2023-3467. The former can allow hackers to execute cross-site scripting (XSS) attacks. By tricking targets on the same networks into opening a harmful link in the web browser. The latter, however, makes it possible to increase privileges and obtain root permissions.

Although the second is more impactful, it necessitates authenticate access to the vulnerable appliances’ management interface. This is via their IP (NSIP) or a SubNet IP (SNIP) address.

CISA Takes Charge: A Call to Action Against Citrix

In a bid to counteract the growing threat, the U.S. federal agencies got a directive from CISA on Wednesday. The agencies have been instructed to fortify Citrix servers in their networks against the ongoing attacks by August 9th.

CISA issued a warning. This was pointing out that the bug had been utilized to penetrate the systems of a U.S. critical infrastructure organization. “In June 2023, threat actors took advantage of this vulnerability as a zero-day to install a webshell on a critical infrastructure organization’s NetScaler ADC appliance,” stated CISA in a separate advisory issued on Thursday.

The webshell allowed the hackers to explore the victim’s active directory (AD), gather and extricate AD data. The culprits also attempted lateral movement to a domain controller, but appliance network-segmentation controls effectively blocked their movement. The reality of the situation and the potential future threats underline the importance of swift and effective counteraction.