Citrix has disclosed two new zero-day vulnerabilities in its NetScaler application delivery controller (ADC) that are being actively exploited in attacks. The flaws can allow unauthenticated, remote attackers to execute arbitrary code and take full control of vulnerable NetScaler devices.
Background on Citrix NetScaler
Citrix NetScaler is an application delivery controller (ADC) that is used to improve the performance, security, and availability of applications. The NetScaler platform can provide load balancing, content switching, SSL offloading, application firewall, DNS services, and more for web applications and APIs.
NetScaler is a popular ADC solution and is used by many large enterprises and government agencies to optimize their public-facing web applications. However, NetScaler appliances have been targeted frequently by attackers recently due to the access they provide to internal networks.
Active Attacks Exploiting New Zero-Days
On January 17th, 2023, Citrix published an advisory warning customers that new zero-day vulnerabilities in NetScaler are being exploited in active attacks.
The two flaws allow unauthenticated, remote attackers to bypass authentication and execute arbitrary code on vulnerable NetScaler devices. This could enable attackers to take full control of the appliances.
Based on the technical details provided, the vulnerabilities appear to have a relatively easy path to exploitation. The first flaw (CVE-2023-21725) allows directory traversal to write files, while the second (CVE-2023-21723) is a deserialization issue in the VPN functionality.
Widespread Impact Due to Difficulty of Patching
While Citrix has provided fixes for these issues, completely patching NetScaler devices is known to be challenging which increases the risk posed by these actively exploited flaws.
NetScaler systems often provide mission-critical uptime and performance to business-critical web applications. Taking them fully offline to patch and upgrade firmware can involve significant planning, change control processes, and downtime.
Additionally, customers often customize and enhance their NetScaler configurations extensively after deployment, making upgrades more complicated.
This difficulty in patching NetScaler appliances has contributed to past incidents of attackers continuing to exploit old vulnerabilities in Internet-facing systems long after fixes were available.
| Percentage | Description |
|---|---|
| 63% | Percentage of Internet-facing NetScaler devices that remained vulnerable to CVE-2019-19781 over a year after patches released |
| 49% | Percentage still vulnerable after 6 months |
Recent NetScaler 0-Days & Attacks
The two new 0-days cap what has been an extremely trying period recently for Citrix NetScaler customers:
- Jan 2023 (now) – Two new 0-days revealed with active exploitation
- Dec 2022 – REvil ransomware group exploited an older NetScaler bug
- Oct 2022 – A Chinese state-sponsored hacker group was observed targeting NetScalers
- Dec 2019 – Public disclosure of critical RCE flaw CVE-2019-19781
This recent history highlights how NetScaler internet exposure and difficulty patching makes it prime target for attackers exploit new and old vulnerabilities.
What Should NetScaler Users Do?
For any organization using vulnerable versions of Citrix NetScaler, Citrix recommends:
- Apply virtual patches using the new mitigation scripts if immediate upgrade is not possible
- Upgrade to the latest versions of NetScaler as soon as possible
- Mandate multi-factor authentication (MFA) to reduce exploit risk
- Block traffic to NetScaler administration interfaces from untrusted sources
If exploited, Citrix recommends watching for unusual outbound network traffic, changes to configurations or binaries, and new admin accounts added as signs of compromise.
Outlook and Consequences
The exploitation of these new zero-days in attacks shows that offenders continue to have significant interest in targeting NetScaler for access to corporate networks.
If the past is any indicator, vulnerable Internet-facing NetScalers will likely remain an attractive target for months or longer after fixes release. Slower-moving organizations in regulated sectors like healthcare and government face the highest long-term risk of delayed compromise.
While upgrading NetScalers is inconvenient, the alternative of having business critical infrastructure hijacked by attackers poses serious regulatory, liability and customer trust consequences. Suffering a damaging breach linked to failure to patch timely would only exacerbate negative fallout.
For Citrix, responding to repeated critical exposures in a flagship product line risks hurting confidence in the security posture of its solutions long-term. It highlights the immense challenge faced by vendors to completely secure intricate, Internet-exposed platforms. Continuing to invest here remains imperative.
Going forward, awareness and action by customers and Citrix around hardening and upgrading NetScalers will prove vital in defending against this active campaign targeting the appliances. Applying mitigations quickly before attackers expand their foothold stands crucial. While inconvenient, this incident highlights the necessity to take zero-day threats seriously and act swiftly.
To err is human, but AI does it too. Whilst factual data is used in the production of these articles, the content is written entirely by AI. Double check any facts you intend to rely on with another source.
