Description
A critical vulnerability has been identified in the Citrix NetScaler ADC and NetScaler Gateway, allowing unauthenticated remote code execution. This issue stems from multiple vulnerabilities which could potentially compromise the affected systems.
Affected Product(s)
Citrix NetScaler Application Delivery Controller (ADC) Versions 13.0 up to but not including 13.0-91.13 and 13.1 up to but not including 13.1-49.13
Technical Details
The vulnerabilities identified in the Citrix NetScaler ADC and NetScaler Gateway are of a severe nature, allowing attackers to remotely execute code without authentication. One of the prominent issues lies in the improper control of code generation, a weakness classified under CWE-94. This is specifically linked to the endpoint `/gwtest/formssso` which permits remote code execution due to insufficient input validation and buffer overflow risks.
Discovered during detailed patch analysis, the vulnerability is due to the previously unchecked lengths in processing URL-decoded inputs. The function `ns_aaa_gwtest_get_valid_fsso_server`, particularly the method `ns_aaa_gwtest_get_event_and_target_names`, exposes these gaps. It was discovered that this endpoint allows an overflow of a buffer in the `nsppe` process, triggering a stack buffer overflow.
Threat actors can exploit this by crafting specific HTTP GET requests designed to manipulate the vulnerable endpoint request parameters โ particularly the `target` parameter without undergoing a length verification. This exploit is achievable without specific configurations such as SAML needing to be enabled.
Further technical insights from Citrix and related advisories indicate changes in patch versions that implement stringent checks on the input lengths, thus disabling the code execution potential that was previously open. Leveraging payloads that target the vulnerable endpoint reveal the ease of exploitation wherein simply crafting a payload to exceed expected inputs leads to a significant crash, denoting the success of code injection.
In terms of detection, it is challenging as the endpoint behaves similarly for both malicious and non-malicious payload submissions on patched and unpatched instances, usually resulting in a 500 error response. Due to the inadequacies of traditional version-checking methods, organizations are strongly recommended to adhere to the Citrix advisories and CISA indicators of compromise for ensuring system security.
Weakness
The primary weakness associated with this vulnerability is the improper control of code generation, often resulting in code injection vulnerabilities (CWE-94). This arises when the application processes inputs in an unsafe manner allowing attackers to manipulate code execution paths.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system. This level of control could further allow for data exfiltration, system modification, or the deployment of additional malware.
Active Exploitation
We have observed activity from several adversary groups known for targeting vulnerabilities in major software components such as Citrix NetScaler ADC. These groups, including ExCobalt and FIN8, have been identified leveraging this vulnerability to achieve unauthorized execution and access.
Threat Actors: ExCobalt, FIN8, Fox Kitten, Unspecified Group – China
Ransomware Association
The vulnerability has been linked to ransomware attacks, notably with the involvement of ransomware families like 8Base and RansomHub, that exploit this specific vulnerability to gain initial system access and deploy their ransomware payloads.
Mitigation and Resolution
We have released patches that address this vulnerability comprehensively. Users are urged to upgrade to the latest versions โ 13.0-91.13 or 13.1-49.13 โ as soon as possible to mitigate potential exploitation.
Should users be unable to apply patches immediately, strong recommendations are given to restrict access to the management interface from untrusted networks until patches can be administered.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- Restrict network access to the management interface of Citrix ADC and Gateway environments until the patch is applied.
- Ensure your systems are regularly updated with the latest security patches and releases from Citrix.
- Employ network segmentation to isolate critical components from potentially non-trusted environments.
- Implement strict input validation and integrate security measures that prevent unauthorized access.
- Regularly audit systems for any signs of vulnerability exploitation or unusual network activity.
- Utilize security frameworks or platforms providing global threat intelligence for ongoing defense against attack vectors.
ย References
- Citrix ADC NetScaler Remote Code Execution
- Citrix Bulletin
- Analysis of CVE-2023-3519
- Zero Day Vulnerability Database
- National Vulnerability Database
- CVE MITRE