A proof-of-concept (PoC) for a critical vulnerability, CVE-2023-3519, in Citrix ADC has been made public. This isn't just another security flaw, but a stack-based buffer overflow that has been actively exploited, opening a pathway for unauthenticated attackers to execute remote codes on systems functioning as gateways.
The severity of this vulnerability is underscored by its rating of 9.8 out of 10, due to the low complexity of the attack and the lack of privileges or user interaction needed to exploit it. This vulnerability impacts unpatched Netscaler appliances configured as gateways (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication virtual servers (AAA server).
Citrix addressed this flaw in security updates released on July 18. However, a report by BishopFox on July 21 revealed that approximately 61,000 Citrix appliances on the internet could be at risk, with around 35% (21,000) potentially vulnerable.
The US Cybersecurity and Infrastructure Security Agency (CISA) stated, “In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s NetScaler ADC appliance.” CISA added CVE-2023-3519 to its Known Exploited Vulnerabilities Catalog on July 19, 2023.
Caleb Gross, a security researcher from BishopFox, went beyond just raising the alarm. He wrote a technical advisory, including a PoC code, demonstrating the exploitability of the CVE-2023-3519 flaw. The PoC exploit code is alarmingly straightforward, requiring only three arguments: the target host, the target port, and the URL of a shell script payload. The shellcode cleverly writes a backdoor to `/var/netscaler/logon/a.php` and adjusts the SUID bit on `/bin/sh` so the payload can run as root. The backdoor, made up of a compact PHP payload, initiates `curl |sh` and sends back the output in the HTTP response. This ingenious move allows attackers to deploy payloads without leaving an unauthenticated PHP shell exposed to the internet.