Summary
Citrix has released an advisory regarding critical vulnerabilities found in NetScaler ADC and NetScaler Gateway products, informing users that exploits have been seen for sale on Dark Web sites and have been exploited in the wild by threat groups. Citrix "strongly urges" that users apply patches without delay. These patches address three separate vulnerabilities, the most severe (9.8) allowing an attacker to execute remote code without authentication.
CVE-2023-3519: Citrix ADC/Citrix Gateway Unauthenticated remote code execution
The appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or AAA virtual server) and would allow an unauthenticated attacker to execute remote code execution (RCE) on the target system.
CVSSv3: 9.8
CVE-2023-3466: Reflected Cross-Site Scripting (XSS)
Requires the victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NetScaler IP (NSIP). This would allow the attacker to conduct an XSS (cross-site scripting) attack on the target.
CVSSv3: 8.3
CVE-2023-3467: Privilege Escalation to root administrator (nsroot)
Allows an attacker to exploit the vulnerability to achieve privilege escalation to nsroot (root administrator)
CVSSv3: 8.0
Affected versions
Mitigations
Citrix has released patches to address these vulnerabilities.
Additional Resources
https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467
https://www.bleepingcomputer.com/news/security/new-critical-citrix-adc-and-gateway-flaw-exploited-as-zero-days/