Updated September 8, 2003, with additional guidance from the Cybersecurity and Infrastructure Security Agency (CISA)
On July 18, 2023, Cloud Software Group released builds to fix CVE-2023-3519, which affects NetScaler ADC and NetScaler Gateway if they are configured as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy ) or AAA virtual server. If exploited, CVE-2023-3519 could result in unauthenticated remote code execution.
As part of our internal reviews and in working with our customers, we identified builds of NetScaler ADC and NetScaler Gateway that are affected by the vulnerability. You can find details in the security bulletin.
If you are using affected builds and have configured NetScaler ADC as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or AAA virtual server, we strongly recommend that you immediately install the recommended builds because this vulnerability has been identified as critical. No workarounds are available for this vulnerability.
We are aware of targeted attacks in the wild exploiting this vulnerability. In both this communication and the related security bulletin, we are sharing limited technical details to protect our customers from exploits.
The Cybersecurity and Infrastructure Security Agency (CISA) released an updated cybersecurity advisory for CVE-2023-3519 on September 6, 2023, with new tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) received from an additional victim and trusted third parties. Additionally, Mandiant has provided guidance and an Indicators of Compromise (IOC) Scanner for CVE-2023-3519. If you are a Citrix-managed cloud service or Citrix-managed Adaptive Authentication customer, no action is required. This guidance applies to customer-managed NetScaler ADC or NetScaler Gateway only.
Recommended next steps
If you are using any of the affected builds listed in the security bulletin, you should update immediately.
If you are using NetScaler ADC or NetScaler Gateway instances on an SDX platform, you will need to upgrade VPX instances (the underlying SDX platform, itself, is not affected).
NetScaler ADC and NetScaler Gateway appliances that are not configured as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or AAA virtual server (traditional load balancing configurations, for example) and related products such as NetScaler Application Delivery Management (ADM) and Citrix SD-WAN are not affected.
Permanent fixes are available to download for NetScaler ADC and NetScaler Gateway:
For an overview of the steps to identify and remediate vulnerable NetScaler ADCs through NetScaler Application Delivery Management (formerly Citrix ADM), watch this video.
We recommend following the NetScaler secure configuration and deployment guide.
Learn more and stay up to date
- Read the security bulletin
- Sign up for security bulletin notifications
- Consult the best practices deployment guide
NetScaler and Citrix are both business units of Cloud Software Group, and for now we are sharing the same ticketing system. If you encounter issues when you are updating your affected builds, contact Citrix Customer Support.
As a NetScaler customer, what should I do now?
Exploits of this vulnerability have been reported. If you are using the affected builds of NetScaler ADC and NetScaler Gateway, we strongly urge you to install the updated builds as soon as possible, which are referenced in the security bulletin.
What is the impact of this vulnerability?
An unauthenticated attacker can perform remote code execution. Please refer to the security bulletin.
Is Cloud Software Group planning to deliver a code fix?
Yes, Cloud Software Group has delivered a code fix. Please refer to the security bulletin.
Is there a workaround or mitigation that I can use instead of updating?
No workarounds or mitigations are available beyond upgrading to a build that addresses the vulnerability as described in the security bulletin.
How urgent is it for me to fix my deployment?
Customers using an affected build are urged to install the recommended updates immediately, as this vulnerability has been identified as critical. We are aware of targeted attacks in the wild using this vulnerability.
Does this vulnerability affect only on-premises deployments, or are cloud services also impacted?
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway appliances. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.
Can I fix this vulnerability using Web Application Firewall signatures?
No, it is not possible to fix the vulnerability with Web Application Firewall signatures.
How will I know if my device is already compromised?
Cloud Software Group is unable to provide forensic analysis to determine if a system may have been compromised. As noted, the Cybersecurity and Infrastructure Security Agency (CISA), has released a Cybersecurity Advisory (CSA) with detection and mitigation guidance for tools leveraged by a malicious actor against ADC. As of September 6, 2023, CISA has updated the advisory with new tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) received from an additional victim and trusted third parties.The updated Cybersecurity Advisory is available here. Also, Mandiant has published Indicators of Compromise Scanner that is available here.
What is the CVSS score for this issue?
The CVSS score of CVE-2023-3519 is 9.8.
Are there additional details on the NetScaler ADC and NetScaler Gateway vulnerability that are not in the security bulletin?
No. Cloud Software Group is limiting information to the details contained in its security bulletin.
Does Cloud Software Group provide forensic analysis?
Cloud Software Group recommends that customers reference the National Security Agency (NSA) guidance, which includes detection and mitigation guidance for tools leveraged by a malicious actor against NetScaler ADC and NetScaler Gateway.
Why did Cloud Software Group not reach out directly to me in advance?
To best protect all of our customers, Cloud Software Group releases security bulletins to customers and the public simultaneously. This is standard industry practice to ensure that all customers can upgrade as soon as possible. We provided notifications to customers who had signed up to receive security bulletins. If you are not receiving NetScaler security bulletins, update your support alert settings.
What additional validation can Cloud Software Group provide to aid in my incident response?
Cloud Software Group has released a feature in NetScaler Application Delivery Management (ADM) to enable you to perform file integrity monitoring for NetScaler build files. The feature helps you identify if changes or additions have been made to the NetScaler core build files.
How can I get support?
If you encounter any issues during your update, contact Citrix Customer Support. NetScaler and Citrix are both business units of Cloud Software Group, and for now we are sharing the same ticketing system.
Where can I learn more about this vulnerability?
You can find more details in the following:
How do I stay up to date on the latest security updates?
Sign up for security bulletin notifications.
How do I learn more about reporting any potential security vulnerabilities?
Cloud Software Group welcomes input regarding the security of its products and takes any potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Cloud Software Group, please visit our trust center.
Cloud Software Group is committed to incorporating your feedback as we adapt our communication and customer support offerings. To provide feedback, contact us.