CVE-2023-3519: Threat Actors Exploits the Citrix Zero-Day Vulnerability for Remote Code Execution

On June 20th, 2023, the Cybersecurity and Infrastructure Security Agency (CISA)  released a cybersecurity advisory on an actively exploited critical vulnerability discovered in NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway products [1]. The advisory alerted to three vulnerabilities, CVE-2023-3466 (a Reflected XSS vulnerability), CVE-2023-3467 (allowing for privilege escalation to root administrator level), and the most severe, CVE-2023-3519 (CVSS 9.8) [2], an unauthenticated remote code execution (RCE) vulnerability affecting millions of users across the globe [3]. This vulnerability has been leveraged by many threat actors to implant webshells in vulnerable systems. 

In this blog, we delve into the alarming NetScaler ADC and NetScaler Gateway CVE-2023-3519 vulnerability and give a detailed explanation of tactics, techniques, and procedures (TTPs) used by adversaries as well as detection and mitigation suggestions.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

What Are Citrix CVE-2023-3466 and CVE-2023-3467 Vulnerabilities?

Before we dissect the core aspects of the critical Citrix CVE-2023-3519 remote code execution vulnerability, it's worth addressing two other zero-day vulnerabilities, namely CVE-2023-3566 and CVE-2023-3467. While these vulnerabilities might not possess the same level of severity as CVE-2023-3519, their existence and potential for exploitation are still disconcerting and worthy of our attention.

• CVE-2023-3466 

CVE-2023-3466 (CVSS 8.3) is a high severity Reflected Cross-Site Scripting (XSS) vulnerability [4]. In this type of attack, the attacker injects a malicious script into a webpage which then gets executed in the victim's browser when they visit the attacker-controlled webpage. 

This vulnerability requires the victim to access an attacker-controlled link while being on a network with connectivity to the NetScaler IP (NSIP). Successful exploitation of this vulnerability allows unauthorized execution of malicious scripts, leading to potential data theft, session hijacking, or even defacing of the webpage. 

•  CVE-2023-3467

CVE-2023-3467 (CVSS 8.0) is a privilege escalation vulnerability [5]. In this case, an attacker with authenticated access to the NSIP or SNIP with management interface access can escalate their privileges to the root administrator (nsroot) level. This means that an attacker with limited privileges can gain full administrative control of the system. While the exploitation of this vulnerability requires low-level access to the targeted system, the impact is considered very high as it allows the attacker to potentially control and manipulate all system functions. 

What Is Citrix CVE-2023-3519 Unauthenticated Remote Code Vulnerability?

Citrix's NetScaler Application Delivery Controller (ADC) and NetScaler Gateway are designed to ensure secure application delivery and VPN connectivity, extensively utilized worldwide, particularly within critical infrastructure organizations. 

On July 20th, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released a security advisory regarding an unauthenticated remote code execution vulnerability in these Citrix products. Found in systems configured as a Gateway or functioning as an authentication, authorization, and auditing (AAA) virtual server, this vulnerability exposes the systems to possible exploitation by unauthorized individuals. 

Upon exploiting this vulnerability, threat actors have the ability to upload files containing malicious webshells and scripts, enabling them to conduct network scanning and extract sensitive information. They can view and decipher encrypted passwords stored in the server's configuration files, using decryption keys available on the same server. This decryption capability gives them access to Active Directory credentials, allowing them to gather extensive information, including user, computer, group, subnet, and organizational unit details. 

Note that the attackers' attempts at post-exploitation lateral movement, such as implanting a secondary webshell for potential proxying of traffic, were prevented by robust firewall and account restrictions, demonstrating the importance of secure network configurations in limiting the impact of such attacks.

Affected Regions and Countries

A quick report generated from Shodan illustrates the predominant use of Citrix Gateways. Evidently, the United States, Germany, the United Kingdom, Switzerland, and the Netherlands emerge as the top five countries utilizing Citrix Gateway. By conducting a swift Shodan search, adversaries can identify enticing targets that haven't updated their vulnerable NetScaler ADC and Gateway products.

Figure 1: A General Shodan Report Highlighting the Countries that Use Citrix Gateway.

Citrix NetScaler ADC and Gateway Vulnerability: Affected Products and Fixed Versions

For immediate remediation actions, here's a list of the impacted products and versions, along with their respective fixed versions.

Citrix CVE-2023-3519 Exploit Example - How Does It Work?

In this section, we explained the tactics, techniques and procedures (TTPs) observed in an attack that exploited the CVE-2023-3519 zero-day vulnerability [1]. 

• Initial Access 

• • Exploit Public-Facing Application (ATT&CK T1190)

Threat actors exploited a vulnerability (CVE-2023-3519) in the organization's public-facing NetScaler ADC appliance, providing them the initial foothold.

• Command and Control 

• • Server Software Component: Web Shell (ATT&CK T1505.003)

Capitalizing on the exploited vulnerability, the threat actors managed to upload a TGZ file, which encapsulated a generic webshell. This webshell facilitated remote command execution, granting them the ability to manipulate the compromised system, thereby establishing a reliable command and control channel.

• Privilege Escalation 

• • Abuse Elevation Control Mechanism: Setuid and Setgid (ATT&CK T1548.001)

The adversaries leveraged an uploaded TGZ file comprising a setuid binary, intentionally exploiting the Elevation Control Mechanism. This activity allowed them to amplify their permissions within the system, leading to the acquisition of escalated privileges.

• Defense Evasion

• • Masquerading: Masquerade File Type (ATT&CK T1036.008)

To avoid detection during data exfiltration, the attackers masqueraded the collected data by uploading it as an image file to a web-accessible path, thereby bypassing conventional security measures that might not associate image files with data breaches.

• Credential Access 

• • Unsecured Credentials: Credentials In Files (ATT&CK T1552.001) 

• • Unsecured Credentials: Private Keys (ATT&CK T1552.004)

The actors managed to decrypt encrypted passwords by viewing the NetScaler configuration files and using the stored decryption keys on the ADC appliance.

• NetScaler configuration files: The attackers accessed NetScaler configuration files located at /flash/nsconfig/keys/updated/* and /nsconfig/ns.conf (Unsecured Credentials: Credentials In Files - ATT&CK T1552.001). These configuration files contained an encrypted password that the threat actors were able to decrypt.

• Decryption keys: In addition to the configuration files, the threat actors also viewed the decryption keys stored on the ADC appliance (Unsecured Credentials: Private Keys - ATT&CK T1552.004). These keys were used to decrypt the Active Directory (AD) credential extracted from the configuration file.

The combination of these actions allowed the threat actors to access sensitive data and gain further control over the compromised system.

• Discovery 

• • Domain Trust Discovery (ATT&CK T1482)

The actors queried the AD for trusted domains (objectClass=trustedDomain), a technique used to find trust relationships within the network that could be exploited to move laterally or escalate privileges.

• • Permission Groups Discovery: Domain Groups (ATT&CK T1069.002)

By querying the AD for groups (objectClass=group), the attackers gathered information on organizational units, and access rights, potentially identifying accounts with higher privileges. 

• • Remote System Discovery (ATT&CK T1018)

By querying the AD for computers (objectClass=computer), the threat actors could map out the network topology and identify potential systems for further exploitation.

• • System Network Configuration Discovery (ATT&CK T1016.001) 

By attempting to verify outbound network connectivity with a ping command and executing host commands for a subnet-wide DNS lookup, the threat actors sought to understand the organization's connectivity with the internet, which could help in planning further actions and evasion techniques.

• • Network Service Discovery (ATT&CK T1046)

The threat actors conducted SMB scanning on the organization's subnet. This scanning can reveal running services, open ports, and other potential points of vulnerability within the network.

• • Account Discovery: Domain Account (ATT&CK T1087.002)

The actors queried the AD for users (objectClass=user) (objectcategory=person). This allowed them to identify user accounts that might be used for further exploitation.

• Collection

• Archive Collected Data: Archive via Utility (ATT&CK T1560.001)

The actors used the 'tar' command in conjunction with 'openssl' to encrypt the collected data. Specifically, they used the command: tar -czvf - /var/tmp/all.txt | openssl des3 -salt -k <> -out /var/tmp/test.tar.gz. 

• • Data from Local System (ATT&CK T1005)

The actors viewed the NetScaler configuration files located at /flash/nsconfig/keys/updated/* and /nsconfig/ns.conf. These files contained sensitive information, including encrypted passwords.

• • Data Staged (ATT&CK T1074)

After collecting and archiving the data, the threat actors staged it for exfiltration by uploading the file to a web-accessible path: cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png.

• Command and Control

• Proxy: Internal Proxy (ATT&CK T1090.001) 

The threat actors likely implanted a second webshell, probably a PHP shell, with proxying capabilities. This was used in their attempt to proxy SMB traffic to the DC. This attempt, however, was blocked by firewall and account restrictions.

• Impact

• • Account Access Removal (ATT&CK T1531)

In a bid to extend their unauthorized presence and hinder detection, the attackers wiped out the authorization configuration file situated at /etc/auth.conf. This move was possibly strategized to disallow pre-configured users, such as admins, from remotely accessing the system and potentially discovering the intrusion. 

Consequently, this action would generally force the organization to reboot into single use mode, which might result in deletion of artifacts from the device. However, in this specific case, the victim organization had an SSH key readily available that allowed them back into the appliance without needing to reboot it [1].

Citrix CVE-2023-3519 Vulnerability Prevention Suggestions

In response to the attack, it's critical for all organizations to implement certain mitigating measures. These include promptly installing the updated versions of NetScaler ADC and NetScaler Gateway. 

Also, upholding optimal cybersecurity protocols in both production and enterprise environments is strongly advised. This includes implementing multi-factor authentication (MFA) that is resistant to phishing attacks for all services and personnel.

Lastly, as part of a more extended initiative, organizations are advised to enforce strong network-segmentation controls on NetScaler appliances and any other devices exposed to the internet [1].

How Picus Helps Simulate Exploitation Attacks Against Citrix Vulnerabilities?

We also strongly suggest simulating the exploitation attacks against vulnerable Citrix products to test the effectiveness of your security controls against real-life cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other exploitations, such as CVE-2023-34362 MOVEit Transfer SQLi, CVE-2023-27350 PaperCut, and CVE-2023-23397 Microsoft Office Outlook Privilege Escalation vulnerabilities, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats associated with Citrix vulnerabilities:

Picus also provides actionable mitigation content. The Picus Mitigation Library includes prevention signatures designed to tackle zero-day vulnerabilities, Citrix vulnerabilities, and other types of exploitation attacks within preventive security controls. Currently, Picus Labs has validated the following signatures specifically for exploitation attacks on Citrix vulnerabilities:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus The Complete Security Validation Platform.

References

[1] “Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a. [Accessed: Jul. 21, 2023]

[2] “NVD - CVE-2023-3519.” Available: https://nvd.nist.gov/vuln/detail/CVE-2023-3519. [Accessed: Jul. 21, 2023]

[3] “Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467.” Available: https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467. [Accessed: Jul. 21, 2023]

[4] “NVD - CVE-2023-3466.” Available: https://nvd.nist.gov/vuln/detail/CVE-2023-3466. [Accessed: Jul. 21, 2023]

[5] “NVD - CVE-2023-3467.” Available: https://nvd.nist.gov/vuln/detail/CVE-2023-3467. [Accessed: Jul. 21, 2023]