CVE-2023-3519 Citrix (NetScaler) ADC and Gateway critical vulnerabilities

Citrix has released an advisory regarding critical vulnerabilities found in NetScaler ADC and NetScaler Gateway products, informing users that exploits have been seen for sale on Dark Web sites and have been exploited in the wild by threat groups. Citrix "strongly urges" that users apply patches without delay. These patches address three separate vulnerabilities, the most severe (9.8) allowing an attacker to execute remote code without authentication.

CVE-2023-3519: Citrix ADC/Citrix Gateway Unauthenticated remote code execution
The appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or AAA virtual server) and would allow an unauthenticated attacker to execute remote code execution (RCE) on the target system.

CVSSv3: 9.8

CVE-2023-3466: Reflected Cross-Site Scripting (XSS)
Requires the victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NetScaler IP (NSIP). This would allow the attacker to conduct an XSS (cross-site scripting) attack on the target.

CVSSv3: 8.3

CVE-2023-3467: Privilege Escalation to root administrator (nsroot)
Allows an attacker to exploit the vulnerability to achieve privilege escalation to nsroot (root administrator)

CVSSv3: 8.0

Affected versions

  • NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0 
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS 
  • NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS 
  • NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
    Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Citrix has released patches to address these vulnerabilities.

Additional Resources