The BSI - Federal Office for Information Security - reports an active exploitation of a vulnerability in the Citrix Application Delivery Controller (ADC). The vulnerability managed with the CVE-2023-3519 has a CVSS value of 9.8 out of 10 and is critical! An update is available.
On 18.07.2023/2023/3519 the manufacturer Citrix announced a critical vulnerability in the products NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). The vulnerability is listed under the number CVE-9.8-XNUMX according to Common Vulnerabilities and Exposures (CVE) and rated according to CVSS with a score of XNUMX (“critical”). Thus, an unauthenticated, remote attacker could be able to execute code on the affected system. The cause is the infiltration of untrustworthy data into a programming language or runtime environment “code injection”.
Citrix: Vulnerability is already being attacked
In the published advisory from Citrix, the company reports on attempts to attack this vulnerability that have already been observed. The BSI therefore recommends that all affected NetScaler ADC and NetScaler Gateway customers install the relevant updates as soon as possible.
The following versions of NetScaler ADC and NetScaler Gateway are vulnerable
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
It should be noted that NetScaler ADC and NetScaler Gateway version 12.1 have already reached the End-of-Life (EOL) and thus will not receive any patches despite their vulnerability! In addition to the CVE-2023-3519 vulnerability, a reflected cross-site scripting (CVE-2023-3466) and a privilege escalation (CVE-2023-3467) vulnerability have also been closed.
The BSI strongly advises against the use of NetScaler ADC and NetScaler Gateway in version 12.1 because these are no longer supported by the manufacturer and therefore remain vulnerable - with the exception of the previously mentioned versions FIPS and NDcPP.
More at BSI.Bund.de
About the Federal Office for Information Security (BSI) The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.