The cybersecurity world was shaken as Shadowserver Foundation, a cyber threat intelligence organization, disclosed that more than 15,000 Citrix servers remain vulnerable to a critical remote code execution (RCE) attack due to an unauthenticated critical RCE bug, tracked as CVE-2023-3519. This flaw was previously exploited by cybercriminals to inject a web shell into an integral infrastructure organization’s NetScaler ADC, leading to exfiltration of active directory (AD) data.
The foundation’s researchers noted that even with the effectiveness of network segmentation controls in preventing lateral movement of threat actors to the domain controller, the security risk remains significant. In response to the situation, the Cybersecurity and Infrastructure Security Agency (CISA) has released a cybersecurity advisory (CSA) echoing this concern.
According to the Shadowserver Foundation, “Any instance that still displays version hashes can be assumed to be unupdated and potentially vulnerable.” The foundation further acknowledged the likelihood of undercounting the vulnerability, as revisions known to be susceptible but without version hashes have not been counted in the total number of exposed servers.
In an effort to address the growing cybersecurity threat, Citrix released security updates on July 18th, stating that “exploits of CVE-2023-3519 on unmitigated appliances have been observed.” The company is urging its customers to apply these patches promptly to prevent potential exploitation. The firm further noted that unpatched Netscaler appliances that serve as gateways (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication virtual servers (AAA server) are particularly susceptible to attacks.
Earlier in July, an advertisement for the CVE-2023-3519 RCE zero-day appeared on a hacker forum, sparking speculation that the flaw was being marketed online. BleepingComputer confirmed that Citrix had been alerted to the advertisement and was working on a patch even before the official disclosure.
In addition to addressing CVE-2023-3519, Citrix simultaneously patched two other high-severity vulnerabilities, CVE-2023-3466 and CVE-2023-3467. The former enables attackers to execute reflected cross-site scripting (XSS) attacks, while the latter allows privilege escalation to root permissions. However, the latter requires authenticated access to the vulnerable appliances’ management interface via an IP or a SubNet IP (SNIP) address, limiting its potential impact.
Responding to these cybersecurity threats, CISA has directed U.S. federal agencies to fortify their Citrix servers against further attacks by August 9th, following a security breach at a U.S. critical infrastructure organization traced back to the CVE-2023-3519 flaw. “The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement,” CISA said in a separate advisory.