Critical Citrix ADC & Citrix Gateway vulnerabilities CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

The manufacturer Citrix informed about critical vulnerabilities on 18 July. In particular, CVE-2023-3519 should be patched as soon as possible, as it was given a CVSS of 9.8.

The vulnerabilities relate to NetScaler ADC (formerly Citrix ADC) and also NetScaler Gateway (formerly Citrix Gateway). The following supported versions are affected:

NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
NetScaler ADC 13.1-FIPS before 13.1-37.159
NetScaler ADC 12.1-FIPS before 12.1-55.297
NetScaler ADC 12.1-NDcPP before 12.1-55.297

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

What are the risks of exploiting the vulnerabilities?

CVE ID	Description	Prerequisite	CVSS
CVE-2023-3466	Reflected Cross-Site Scripting (XSS)	The victim must access a link in the browser controlled by the attacker, while on a network connected to the NSIP.	8.3
CVE-2023-3467	Privilege Escalation to root administrator (nsroot)	Authenticated access to NSIP or SNIP with access to the management interface	8.0
CVE-20233519	Unauthenticated remote code execution	The appliance must be configured as Gateway (virtual VPN server, ICA proxy, CVPN, RDP proxy) OR Virtual AAA server	9.8

What should you do now?

It is imperative that you apply all recommended patches at short notice. The manufacturer specifies the following versioning:

NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

In addition, we recommend checking whether the vulnerability has already been exploited. In other words, check log files, take a close look at the reports from the early detection technologies and carry out analyses if necessary.

We are happy to answer any questions you may have.

Critical Citrix ADC & Citrix Gateway Vulnerabilities CVE-2023-3519, CVE-2023-3466, CVE-2023-3467