Background / What has happened?
The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) is tracking multiple vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway that may be in use on Australian networks.
The ASD’s ACSC has assessed that there is significant exposure to these Citrix NetScaler ADC and NetScaler Gateway vulnerabilities in Australia and that any future exploitation would have significant impact to Australian systems and networks.
The ASD’s ACSC is aware that there have been successful exploitation attempts against Australian organisations at this time.
Citrix report that they have observed exploitation of CVE-2023-3519 and CVE-2023-4966 on unmitigated appliances.
- CVE-2023-3519 allows a malicious actor to exploit a vulnerability and execute code remotely without authentication.
- CVE-2023-4966 may allow a malicious actor to exploit a vulnerability to obtain sensitive information disclosure and conduct session hijacking.
Mitigation / How do I stay secure?
Australian organisations should review their networks for use of vulnerable instances of Citrix NetScaler ADC and NetScaler Gateway.
Affected customers of NetScaler ADC and NetScaler Gateway are strongly urged to install the relevant updated versions as soon as possible.
- NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
- NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
The ASD’s ACSC strongly recommends that affected Australian organisations review these mitigations and apply where possible as a matter of high priority. Affected organisations should monitor for any future patch releases from Citrix NetScaler ADC and NetScaler Gateway.
- Review the identified systems, vendor and security researchers advisories to determine if your systems are affected.
- After patching, apply the remediation methods supplied in the guidance below to invalidate all current sessions.
- Session Hijacking is difficult to detect, you may also wish to check for evidence of lateral movement.
- Organisations should also consider rotating Key credentials for any identities provisioned for accessing resources via a ADC appliance.
ASD’s ACSC recommends checking ns logs for session hijacking as this may indicate successful exploitation. Exploitation may be detected via httpaccess logs GET request to /oauth/idp/.well-known/openid-configuration or /oauth/rp/.well-known/openid-configuration with the Host parameter of a significant length (often filled with ‘a’ characters).
Citrix devices can be provisioned to forward logs to a central location, such as a syslog server. If your organisation does not have this in place, available log data may not be able to confirm compromise. General advice on log collection for gateway devices is available, under the Log Collection Strategy section.
ASD’s ACSC developed the Essential Eight which provides mitigation strategies to assist in organisations protecting themselves against various cyber threats. The Essential Eight includes guidance on patching applications and patching operating systems. ASD’s ACSC recommends implementing the Essential Eight for best practice to reduce the likelihood of opportunistic actors exploiting a known vulnerability.
For more information, please refer to the following resources:
- NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967 (citrix.com) (Citrix)
- Guidance for Addressing Citrix NetScaler ADC and Gateway Vulnerability CVE-2023-4966, Citrix Bleed | CISA (CISA)
The ASD’s ACSC aware of three additional vulnerabilities CVE-2023-3467, CVE-2023-3466 and CVE-2023-4967. More information can be found on Citrix Support Knowledge Centre.
Assistance / Where can I go for help?
The ASD’s ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations that have been impacted or require assistance can contact the ASD’s ACSC via 1300 CYBER1.