Security researchers at Fox-IT, working in conjunction with the Dutch Institute of Vulnerability Disclosure (DIVD) have released an advisory this week which details a global hack of almost 2,000 Citrix Netscaler devices.
In the advisory, Fox-IT researchers (An NCC Group subsidiary) state that an as-yet unknown threat actor appears to have exploited CVE-2023-3519 in an automated fashion, placing web shells on vulnerable NetScaler systems to gain persistent access.
The threat actor can execute arbitrary commands via the webshell, even when a NetScaler is patched and/or rebooted.
Global compromise
During their research, the team involved identified that at the time the exploitation campaign bagan, 31,127 NetScalers were vulnerable to the identified CVE.
As of August 14th – the day the advisory was released, 1,828 NetScalers remain backdoored which includes 1,248 already patched for CVE-2023-3519.
CVE-2023-3519
The vulnerability targted in this attack is recorded as CVE-2023-3519, and is described as a vulnerabity which allows a threat actor to run unauthenticated remote code.
Citrix state that a number of products in the Netscaler series are affected by this vulnerability, including:
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
The vulnerability manifests when the affected appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
What is Netscaler?
NetScaler is a line of networking products developed in 1997 and was aquired by Citrix systems in 2005. Netscaler consists of a number of services including:
- NetScaler, an application delivery controller (ADC)
- NetScaler AppFirewall
- NetScaler Unified Gateway
- NetScaler Management & Analytics System
- NetScaler SD-WAN
NetScaler monitors server health and allocates network and application traffic to additional servers for efficient use of resources.
By caching and compressing data, Netscaler can greatly improve the delivery speed and quality of applications to an end user.
Netscaler can be configured to act as a server proxy, process SSL requests, and offer VPN and micro-app VPN operations.
The NetScaler ADC can manage traffic flows during DDoS attacks, making sure traffic gets to critical applications.
NetScaler logs of network activity can be fed into Citrix’s cloud-based analytics service where they are used to analyse and identify security risks within the network.