{"id":22279,"date":"2024-10-21T01:01:34","date_gmt":"2024-10-21T08:01:34","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?post_type=vulnerability_notice&p=22279"},"modified":"2024-10-24T01:06:16","modified_gmt":"2024-10-24T08:06:16","slug":"cve-2023-3519","status":"publish","type":"vulnerability_notice","link":"https:\/\/webdev.securin.xyz\/vulnerability-notice\/cve-2023-3519\/","title":{"rendered":"CVE-2023-3519"},"content":{"rendered":"
A critical vulnerability has been identified in the Citrix NetScaler ADC and NetScaler Gateway, allowing unauthenticated remote code execution. This issue stems from multiple vulnerabilities which could potentially compromise the affected systems.<\/p>\n
<\/p>\n
Citrix NetScaler Application Delivery Controller (ADC) Versions 13.0 up to but not including 13.0-91.13 and 13.1 up to but not including 13.1-49.13<\/p>\n
<\/p>\n
The vulnerabilities identified in the Citrix NetScaler ADC and NetScaler Gateway are of a severe nature, allowing attackers to remotely execute code without authentication. One of the prominent issues lies in the improper control of code generation, a weakness classified under CWE-94. This is specifically linked to the endpoint `\/gwtest\/formssso` which permits remote code execution due to insufficient input validation and buffer overflow risks.<\/p>\n
Discovered during detailed patch analysis, the vulnerability is due to the previously unchecked lengths in processing URL-decoded inputs. The function `ns_aaa_gwtest_get_valid_fsso_server`, particularly the method `ns_aaa_gwtest_get_event_and_target_names`, exposes these gaps. It was discovered that this endpoint allows an overflow of a buffer in the `nsppe` process, triggering a stack buffer overflow.<\/p>\n
Threat actors can exploit this by crafting specific HTTP GET requests designed to manipulate the vulnerable endpoint request parameters \u2014 particularly the `target` parameter without undergoing a length verification. This exploit is achievable without specific configurations such as SAML needing to be enabled.<\/p>\n
Further technical insights from Citrix and related advisories indicate changes in patch versions that implement stringent checks on the input lengths, thus disabling the code execution potential that was previously open. Leveraging payloads that target the vulnerable endpoint reveal the ease of exploitation wherein simply crafting a payload to exceed expected inputs leads to a significant crash, denoting the success of code injection.<\/p>\n
In terms of detection, it is challenging as the endpoint behaves similarly for both malicious and non-malicious payload submissions on patched and unpatched instances, usually resulting in a 500 error response. Due to the inadequacies of traditional version-checking methods, organizations are strongly recommended to adhere to the Citrix advisories and CISA indicators of compromise for ensuring system security.<\/p>\n
<\/p>\n
The primary weakness associated with this vulnerability is the improper control of code generation, often resulting in code injection vulnerabilities (CWE-94). This arises when the application processes inputs in an unsafe manner allowing attackers to manipulate code execution paths.<\/p>\n
<\/p>\n
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system. This level of control could further allow for data exfiltration, system modification, or the deployment of additional malware.<\/p>\n
<\/p>\n
We have observed activity from several adversary groups known for targeting vulnerabilities in major software components such as Citrix NetScaler ADC. These groups, including ExCobalt and FIN8, have been identified leveraging this vulnerability to achieve unauthorized execution and access.<\/p>\n
Threat Actors: ExCobalt, FIN8, Fox Kitten, Unspecified Group – China<\/p>\n
<\/p>\n
The vulnerability has been linked to ransomware attacks, notably with the involvement of ransomware families like 8Base and RansomHub, that exploit this specific vulnerability to gain initial system access and deploy their ransomware payloads.<\/p>\n
<\/p>\n
We have released patches that address this vulnerability comprehensively. Users are urged to upgrade to the latest versions \u2014 13.0-91.13 or 13.1-49.13 \u2014 as soon as possible to mitigate potential exploitation.<\/p>\n
Should users be unable to apply patches immediately, strong recommendations are given to restrict access to the management interface from untrusted networks until patches can be administered.<\/p>\n
<\/p>\n