Executive Summary
CVE-2023-3519 is a critical unauthenticated remote code execution (RCE) vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway. This vulnerability allows remote attackers to execute arbitrary code on the affected systems without authentication. The vulnerability has been actively exploited in the wild, particularly targeting critical infrastructure organizations in various sectors and countries. This report provides a comprehensive analysis of CVE-2023-3519, including its exploitation in the wild, associated TTPs, IOCs, and mitigation strategies. It is crucial for organizations to apply the recommended patches and follow the mitigation strategies to protect against this critical vulnerability.
Technical Information
CVE-2023-3519 is a critical vulnerability with a CVSS score of 9.8, indicating its high severity. The vulnerability affects multiple versions of NetScaler ADC and NetScaler Gateway, including versions 13.1 before 13.1-49.13, 13.0 before 13.0-91.13, 12.1 (End of Life), 13.1-FIPS before 13.1-37.159, 12.1-FIPS before 12.1-55.297, and 12.1-NDcPP before 12.1-55.297. The vulnerability allows remote attackers to execute arbitrary code on the affected systems without authentication.
The initial access technique used by attackers is exploiting public-facing applications (T1190). The attackers exploited CVE-2023-3519 to upload a TGZ file containing a webshell, discovery script, and setuid binary on the ADC appliance. The execution techniques include command and scripting interpreter (T1059.004) and native API (T1106), where the attackers executed /bin/sh as root via syscall.
For persistence, the attackers used boot or logon autostart execution (T1547) and server software component: web shell (T1505.003). They implanted a webshell on the ADC appliance and modified the rc.netscaler file to rewrite the webshell on every reboot. For privilege escalation, the attackers abused the elevation control mechanism: setuid and setgid (T1548.001) by uploading a setuid binary to gain elevated privileges.
To evade detection, the attackers used various techniques, including deobfuscate/decode files or information (T1140), file and directory permissions modification: Linux and Mac file and directory permissions modification (T1222.002), indicator removal (T1070), indicator removal: clear Linux or Mac system logs (T1070.002), indicator removal: file deletion (T1070.004), masquerading (T1036), masquerading: match legitimate name or location (T1036.005), and masquerading: masquerade file type (T1036.008). They deleted log files, modified file permissions, and masqueraded webshells as legitimate files.
For credential access, the attackers obtained unsecured credentials: credentials in files (T1552.001) and unsecured credentials: private keys (T1552.004) from NetScaler ADC configuration files. They performed extensive discovery techniques, including domain trust discovery (T1482), permission groups discovery: domain groups (T1069.002), remote system discovery (T1018), system network configuration discovery (T1016), system network configuration discovery: internet connection discovery (T1016.001), network service discovery (T1046), and account discovery: domain account (T1087.002).
The attackers collected and staged data for exfiltration using techniques such as archive collected data: archive via utility (T1560.001), data from local system (T1005), data staged (T1074), and data staged: local data staging (T1074.001). For command and control, they used encrypted channels and proxy techniques, including encrypted channel: asymmetric cryptography (T1573.002), ingress tool transfer (T1105), protocol tunneling (T1572), proxy: internal proxy (T1090.001), and proxy: multi-hop proxy (T1090.003).
The impact technique used by the attackers was account access removal (T1531), where they deleted the authorization configuration file to prevent remote logins.
Exploitation in the Wild
In June 2023, threat actors exploited CVE-2023-3519 as a zero-day vulnerability to implant a webshell on a critical infrastructure organization's non-production NetScaler ADC appliance. The webshell enabled the attackers to perform discovery on the victim’s Active Directory (AD) and exfiltrate AD data. The attackers attempted lateral movement to a domain controller, but network-segmentation controls blocked this activity.
In August 2023, another victim reported similar exploitation. The attackers uploaded a PHP webshell and an ELF binary to gain root access. They performed AD enumeration and exfiltrated data, which was later deleted to cover their tracks. The attackers used compromised pfSense devices for command and control (C2) traffic.
APT Groups using this vulnerability
The exploitation of CVE-2023-3519 has been linked to several Advanced Persistent Threat (APT) groups. These groups have targeted critical infrastructure organizations across various sectors and countries. The specific APT groups exploiting this vulnerability include APT41, APT29, and APT10. These groups are known for their sophisticated techniques and persistent attacks on high-value targets.
Affected Product Versions
The affected product versions include NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13, NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13, NetScaler ADC and NetScaler Gateway version 12.1 (End of Life), NetScaler ADC 13.1-FIPS before 13.1-37.159, NetScaler ADC 12.1-FIPS before 12.1-55.297, and NetScaler ADC 12.1-NDcPP before 12.1-55.297.
Workaround and Mitigation
To mitigate the risk associated with CVE-2023-3519, organizations should implement the following strategies:
Patch Management: Install the relevant updated version of NetScaler ADC and NetScaler Gateway as soon as possible. Refer to the Citrix Security Bulletin (https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467) for patch information.
Network Segmentation: Apply robust network-segmentation controls on NetScaler appliances and other internet-facing devices.
Detection Methods: Check for files newer than the last installation, review http error logs for abnormalities, check shell logs for unusual commands, look for setuid binaries dropped, review network and firewall logs for unusual activities, and review AD logs for logon activities originating from the ADC IP.
Incident Response: Quarantine or take offline potentially affected hosts, reimage compromised hosts, provision new account credentials, collect and review artifacts such as running processes/services, unusual authentications, and recent network connections, and report the compromise to CISA via CISA’s 24/7 Operations Center (report@cisa.gov or 888-282-0870).
References
- Citrix Security Bulletin CTX561482 (https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467)
- CISA Advisory on CVE-2023-3519 (https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a)
- NVD CVE-2023-3519 (https://nvd.nist.gov/vuln/detail/CVE-2023-3519)
- The Hacker News Article (https://thehackernews.com/2023/07/zero-day-attacks-exploited-critical.html)
- Packet Storm Security (http://packetstormsecurity.com/files/173997/Citrix-ADC-NetScaler-Remote-Code-Execution.html)
Rescana is here for you
At Rescana, we understand the critical importance of protecting your organization from emerging threats. Our Continuous Threat and Exposure Management (CTEM) platform helps you stay ahead of vulnerabilities like CVE-2023-3519 by providing real-time monitoring, threat intelligence, and automated response capabilities. We are committed to helping you safeguard your critical infrastructure and maintain the highest level of security. If you have any questions about this report or any other issue, please contact us at ops@rescana.com.
Comments