NetScaler ADC & Gateway Vulnerability: What you need to know

A critical security issue was announced in late July 2023 affecting Citrix/NetScaler appliances. BreachBits analyzed this threat and rapidly deployed detection capabilities to our BreachRisk™ subscribers. If you subscribe to BreachRisk™, we have enhanced your attack surface detection capabilities and you were sent an email notifying you if this issue was detected in your environment. Testing capabilities are forthcoming.

Background

The Cybersecurity Infrastructure Security Agency (CISA) announced that attackers have exploited a zero-day vulnerability (NVD CVE-2023-3519) in at least one organization's NetScaler Application Delivery Controller (ADC) (formerly Citrix ADC) appliance. Attackers were able to leverage the vulnerability to gain initial access and establish a foothold in the organization's internal environment.

Our BreachRisk™ service helps subscribers automatically and continuously detect, gauge, and test the ways hackers can cause a cyber breach. As a part of this service, when new threats are announced, we rapidly reverse engineer the threat and notify our customers if they appear to be affected. We notified customers on or before July 24, 2023, letting them know if they are affected or not.

Citrix released a Security Bulletin for Citrix/NetScaler ADC which contains guidance for users of the affected appliance along with technical details that are being updated as the situation develops.

Exploitation and Impact

While a public proof-of-concept exploit for this vulnerability has not been released, CISA released a bulletin documenting at least one known case of attackers leveraging the vulnerability to cause a breach. Impact is rated at the highest (most dangerous) level issued by the NIST National Vulnerability Database. Expect more attention on this vulnerability in the coming weeks/months given the high impact rating and the widespread use of these products.

Affected Applications

Note: Only appliances that are self-hosted (i.e. not cloud or Citrix-hosted or managed) that are listed below are affected.

• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13

• NetScaler ADC 13.1-FIPS before 13.1-37.159

• NetScaler ADC 12.1-FIPS before 12.1-55.297

• NetScaler ADC 12.1-NDcPP before 12.1-55.297

• NetScaler ADC and NetScaler Gateway version 12.1

What we are doing

We initiated our response to this issue within hours of this issue becoming public.

• We rapidly developed detection capability and have already scanned your in-scope assets for the threat. Testing capability is forthcoming.

• If you are a BreachRisk™ for Business customer (all service levels), we sent you an email notifying you if you were affected on July 24, 2023. The subject of the email contains the phrase, "Security Advisory: Citrix Vulnerability (CVE-2023-3519)"

• If you subscribe to BreachRisk™ Portfolio, you may notice a change in some of the companies in your portfolio if they are affected. You can also contact us at support@breachbits.com if you need assistance, especially for subscribers with over 100 portfolio entities.

We provide our BreachRisk™ for Business and BreachRisk™ Portfolio customers continuous threat detection and testing services for threats in situations like this. Our job is to answer these questions for our clients:

• "Does this threat affect me?"

• "If so, where am I affected?"

• "How does this affect my overall cyber risk profile (i.e. my BreachRisk™ Score)?"

• "Where does this threat stack up against other ongoing cyber threats?"

• "How will I know when the situation is handled?"

As a part of our routine process, we have worked tirelessly since the announcement of this vulnerability to integrate capabilities to match this threat. Our automation and A.I.-based systems are designed to accept rapid development for threats such as these. We don't just report technical data, we put the threat into context using BreachRisk™ Score and BreachRisk™ Report.

As details of attack methods continue to become available, we expect attackers of lower skill levels to also learn to execute this attack. BreachBits will continue to update and refine our BreachRisk™ solutions to identify exposed vulnerable and attack methods. BreachBits will continue to initiate new BreachRisk™ assessment cycles for customers when new affected software is released publicly to help our customers stay ahead of attackers.

What You Should Do

Consider taking the following actions, especially if you are not a BreachRisk™ customer:

1. Identify if the threat is present on your systems.

2. Pinpoint where you are affected.

3. Consider how your business would be impacted if the affected element were to be shut down, breached, or taken over by an attacker.

4. Determine if this risk is significant enough to divert resources from other efforts, and make a decision to attempt a fix or not.

5. If you attempt to fix, follow up to verify the fix was applied. You may need to repeat this cycle as more information emerges.

Now that the vulnerability is public, be on the lookout for further guidance from software developers and security firms.

If you are a BreachRisk™ Subscriber

If you are a BreachRisk™ for Business customer, we are already examining your external attack surface. You should also do the following:

1. Check your email from July 24th for a summary of whether we believe you are affected or not.

2. Provide any IT infrastructure that we haven't already discovered via the Verifications page on your Dashboard. This will allow us to identify more of the attack pathways that are accessible from the internet.

3. Enable Penetration Testing if you have a Pro subscription. This will allow us to test any attack pathways we identify to see if an attacker can achieve a breach.

4. Since we are inspecting your external attack surface, you should have your security team search your internal systems, which we may not be able to see.

5. If you need any assistance or questions, contact us at support@breachbits.com.

If you are a BreachRisk™ Portfolio client, consider contacting the companies in your portfolio and encourage them to take the steps above if they haven't already. You can also monitor your companies for a sharp risk in their BreachRisk™ Score, which may indicate an affected company.

If You Are Not a Subscriber

If you need to know immediately if this threat affects your company, you can register and deploy BreachRisk™ within minutes. Once you've been registered and automatically authenticated, we offer a simple interface and within a few clicks you will have results in as little as one hour. We offer free plans and 14-day fully functional free trials. This will cover your external attack surface.

If you need to test if attackers can actually exploit this issue in your environment, our paid BreachRisk™ for Business plans can do this quickly and continuously for this threat and for hundreds of other threats being used by hackers every day.

What's Next

We have already searched the attack surfaces of our subscribers for this threat continue searching periodically to adapt with dynamic attack surface environments. Soon, we expect to be able to test affected customers to prove whether the threat could impact their business.

BreachBits will continue to monitor the situation and update threat vector identification capabilities into our continuous monitoring and testing solutions. As BreachBits discovers vulnerable hosts, we will reach out to the affected customers to notify and provide support as needed.

Due to the nature of our technology, our AutoIntelligent Persistent Threat Engine can easily check for this threat across hundreds of thousands of clients for decades to come.

For more information on BreachRisk™ for Business and BreachRisk™ Portfolio please refer to our website or contact us.

Update Log

• 03 Aug 2023: Published