Citrix urged its customers on Tuesday to immediately patch NetScaler ADC and Gateway appliances exposed online against two actively exploited critical zero-day vulnerabilities.
The two zero-days (tracked as CVE-2023-6548 and CVE-2023-6549) impact the NetScaler management interface and expose unpatched NetScaler instances to remote code execution and denial-of-service attacks, respectively.
The Citrix Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.
Key Executive Communication Points:
· HHS’ security team, the Health Sector Cybersecurity Coordination Center (HC3), have also issued a sector-wide alert urging health organizations to secure their NetScaler ADC and NetScaler Gateway instances against surging ransomware attacks.
· Security researchers have identified a weakness in authentication of remote code execution.
· The vulnerability allows attackers to perform Denial of Service attacks.
· Researchers have indicated that Availability is the primary impacted attribute and have not recognized impacts on data Confidentiality or Integrity related to this specific vulnerability.
· Citrix has mitigated these vulnerabilities in the most recent versions of NetScaler ADC and NetScaler Gateway.
Situation Report:
· Who: Citrix has acknowledged (NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967) the vulnerabilities and have updated NetScaler ADC and NetScaler Gateway to address these issues. For those situations where updating the NetScaler devices would negatively impact the business, the Citrix Cloud Software Group strongly recommends that network traffic to the appliance’s management interface be separated, either physically or logically, from normal network traffic. In addition, they recommend not exposing the management interface to the internet, as explained in the secure deployment guide. Removing such exposure to the internet greatly reduces the risk of exploitation of these issues.
· What: Security researchers have identified a weakness in the authenticated remote code execution which allows for a Denial-of-Service attack. The vulnerabilities are defined in CVE-2023-6548 and CVE-2023-6549.
o Note that updating to the latest version of NetScaler ACD and NetScaler Gateway will also address previous critical vulnerabilities, specifically CVE-2023-4966, CVE-2023-4967, CVE-2023-3466, CVE-2023-3467, and CVE-2023-3519
· When: CVE 2023-6548 and CVE-2023-6549 were discovered in the second half of 2023 and are actively being exploited
· Where: Citrix has identified the following releases as being affected:
o NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
o NetScaler ADC and NetScaler Gateway 13.1-51.15 and later releases of 13.1
o NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0
o NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS
o NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS
o NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP
o Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.
· Why: The vulnerabilities resolved in the latest Citrix releases focus on impacting the Availability (See CIA Triad) of an application’s operating infrastructure leveraging X.509 certificate services. Current research has not indicated that the Confidentiality or Integrity of data is affectable when exploiting this vulnerability.
· How: No proof-of-concept exploit has been released, however the vulnerabilities have been actively exploited by bad actors.
· Mitigating Factors: To gain code execution, attackers must be logged in to low-privilege accounts on the targeted instance and need access to NSIP, CLIP, or SNIP with management interface access. Also, the appliances must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server to be vulnerable to DoS attacks. Further, Citrix notes that only customer-managed NetScaler appliances are impacted by the zero-days, while Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not affected.
Recommendations/Action Plans:
Remediation of vulnerabilities within an affected environment should follow a predictable, defined, and structured vulnerability and patch management process. If your organization maintains such a program, leveraging this program to resolve this vulnerability as quickly as possible is advisable. In the absence of such a program, the following means should be considered as you address this threat posed to your organization. In either context, considering key points throughout this advisory to optimize your approach will serve your organization well in leveraging security as a business enabler.
Triage:
· Identify Affected Systems – Leveraging vulnerability scanning tools (Tenable, Rapid7, Qualys, etc.), asset inventories (you may have multiple), and public scanners will enable you to identify affected assets in your environment to which the updated releases should be applied.
· Patch Systems As Soon As Possible – Partner with your business owners and stakeholders to identify a patch window that offers risk remediation in the timeliest manner; this may occur before or in alignment with your next standard patching cycle, given that most organizations center their patch cycles around Microsoft’s “Patch Tuesday.”
· Alternate Patching Methods – In addition to patching known systems with this vulnerability, it is recommended to update Next Generation Firewalls (NGFWs) and Intrusion Detection and Preventions Systems (IDPS) with detection/prevention signatures to mitigate risk to unknown systems or systems that do not have a patch readily available. It is essential to test these signatures before preventing traffic with them.
· Take a Risk-Based Approach – Partner with your business to understand the true risk posed to your organization. Consider the attack vectors posed by the threat, the architecture/design of your affected systems, the impact to the business to patch and refresh the services leveraging NetScaler and the impact those actions may have on business operations, and perhaps most importantly, consider the compensating controls already present in your business which may be appreciably reducing the market-standard vulnerability risk rating assigned to these vulnerabilities.
· Adhere To Your Corporate Policies Where Available – Where corporate vulnerability and patch management policies, standards, processes, and guidelines already exist, use these as cornerstones to modeling your approach for this remediation tracking. These are policies that articulate the risk tolerance of your business, define the level of resourcing your organization is comfortable assigning to such matters, and define established intake and operational execution pathways that your organization is best equipped to leverage during the vulnerability management process.
Safeguard:
· Compensatory Controls – Search, inventory, and assess any compensatory controls which may already be working to reduce/mitigate your organization’s risk to this vulnerability. Your organization has invested significant cost, effort, and focus on implementing controls that broadly reduce risk to your organization – Do not fail to recognize the value and effectiveness of your organization’s investments as you work to evaluate the “True Risk” posed to your organization.
· Administrative Actions – Work with available resources to provide use-specific monitoring for critical systems or highly-exposed systems which are affected by the vulnerability as your organization progresses throughout the vulnerability remediation process. This may include critical application health checks, focused monitoring by a dedicated monitoring group (e.g., NOC, SOC, etc.), or similar focused-attention efforts to ensure the continuity of business-critical applications and assets.
· Communication Plans – Communicate openly and transparently with your affected stakeholders and relevant external agencies (e.g., Law Enforcement, Auditors, etc.) in a manner that is, ideally, already defined by your organization. In the absence of already-defined communication plans, work with your stakeholders to identify a tolerable cadence and make a note in your After-Action Review to establish a standard post-event.
Learn:
· After-Action Review – Following remediation of the vulnerability on affected systems, a focused After-Action Review of your organization’s response capabilities is advisable to recognize areas for process improvement and optimization. Specific categories of concern may include, but should not be limited to, asset and application inventory capabilities, resource readiness, threat intelligence response timeliness, scanning and reporting capabilities, and communication effectiveness.
· Artifact Updates – Following a constructive After-Action Review, your organization’s governance function should work to identify any artifact updates necessary to resolve any identified inefficiencies in your incident response process(es).
Additional Information:
There are many public resources available to assist. Besides the FBI, InfraGard, and IT-ISAC, the US Cybersecurity & Infrastructure Security Agency (CISA) is an excellent resource for all companies across the public and private sectors. CISA’s Shields Up campaign emphasizes that every organization must prepare, detect, respond, and mitigate the impact of attacks. Shields Up includes timely updates, guidance for all organizations, recommendations for CEOs and leaders, ransomware response, and even free tools and steps to protect yourself and your family.
Speak With Our Experts:
At EVOTEK, we have seasoned security practitioners and advisors who can help assess specific risks and advise on risk mitigation strategies and tactical steps to counter and respond to cyber threats. Be sure to reach out to info@evotek.com for more information.
