A critical severity Citrix ADC and Citrix Gateway remote code execution (RCE) flaw has been confirmed to be exploited in the wild. Now known as NetScaler ADC and NetScaler Gateway, both end of life and supported versions of these products are vulnerable to this flaw, and two other vulnerabilities, addressed in the latest security update from Citrix. These devices must be configured as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or an AAA virtual server (authentication virtual server) in order for attackers to be able to exploit this critical RCE flaw. VPN gateways are designed to connect two or more sites, networks, or devices to allow them to communicate securely, and can also be used to connect multiple VPNs together. This makes an exploitable vulnerability in a VPN gateway environment dangerous due to the increased possibility of lateral movement throughout the VPN environment and into other remote sites, networks, and devices.  

CVE-2023-3519, the critical RCE flaw, has been assigned a CVSS base score of 9.8/10. This code injection vulnerability is believed to have been published on hacking forums earlier this month as an exploitable zero-day flaw, after which Citrix became aware of the flaw and started developing a patch before disclosing the details. This exploit that is known to occur in the wild can be performed by a remote, unauthenticated attacker, and results in execution of arbitrary code on the VPN gateway system.  

The other two vulnerabilities patched in the most recent Citrix update are both high severity flaws, neither of which are believed to be actively exploited. CVE-2023-3466 is a cross site scripting (XSS) flaw caused by improper input validation of properties when data is being processed. To exploit this flaw, the victim must visit a malicious link while being connected to a network with access to the NetScaler IP. As this involves user interaction it is considered a lower severity flaw than those that can be exploited by the attackers alone. CVE-2023-3467 is an improper privilege management vulnerability that allows an attacker to escalate their privileges to root administrator (nsroot). This can only be performed when they have first achieved authenticated access to the NetScaler IP or Subnet IP on the management interface.   

Citrix is urging users to update to the relevant patched version as soon as possible to mitigate these flaws, which include NetScaler ADC and NetScaler Gateway versions 13.1-49.13, 13.0-91.13, NetScaler ADC 13.1-FIPS 13.1-37.159, 12.1-FIPS 12.1-55.297, 12.1-NDcPP 12.1-55.297, and later releases. NetScaler ADC and NetScaler Gateway version 12.1 is affected by these vulnerabilities, but it is no longer supported by Citrix as it is an end of life product. No update will be available for this version and customers should instead upgrade to a supported version of the gateway. End of life software and devices should not be used as they are not patched for newly discovered flaws and are therefore more easily exploited attack surfaces for cyber criminals.