Users of Citrix’s NetScaler ADC and NetScaler Gateway (formerly Citrix ADC and Citrix Gateway respectively) appliances should patch as soon as possible, with the vendor announcing a zero-day vulnerability that is under exploitation.
The vulnerabilities only affect customer-managed appliances; Citrix-provided cloud services or Adaptive Authentication services are not affected.
In its advisory, Citrix noted that the most serious vulnerability is CVE-2023-3519, which can be exploited by an unauthenticated attacker to get remote code execution.
To be vulnerable, the advisory stated, the appliance has to be configured “as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy); or as an AAA virtual server”.
“Exploits of CVE-2023-3519 on unmitigated appliances have been observed”, the advisory stated.
The affected product versions are as follows: NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13; NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13; NetScaler ADC 13.1-FIPS before 13.1-37.159; NetScaler ADC 12.1-FIPS before 12.1-55.297; and NetScaler ADC 12.1-NDcPP before 12.1-55.297.
NetScaler ADC and Gateway 12.1 is vulnerable, but is end-of-life and won’t be patched.
The other two vulnerabilities are CVE-2023-3466, a reflected cross-site scripting vulnerable that’s only exploitable with victim interaction; and CVE-2023-3467, a privilege escalation bug.