csirt.divd.nl Open in urlscan Pro
2001:7b8:3:5::80:10  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Skip to the content.
Home / Cases / Divd-2023-00030 - citrix systems vulnerable for cve-2023-3519


DIVD CSIRT

Making the internet safer through Coordinated Vulnerability Disclosure

Menu
 * Home
   * DIVD
   * CSIRT
 * Cases
   * DIVD-2023-00034 - API Authentication Bypass Vulnerability in Ivanti Sentry
     Ivanti Sentry has an API authentication bypass vulnerability with CVSS
     9.8....
   * DIVD-2023-00033 - Citrix systems exploited with CVE-2023-3519
     DIVD is notifying owners of exploited Citrix ADC and Gateway systems,
     based...
   * DIVD-2023-00032 - Access Control Bypass - CVE-2023-29298 & CVE-2023-38205
     Both vulnerabilities allow an attacker to bypass the product feature that
     r...
   * DIVD-2023-00031 - Ivanti MobileIron vulnerable for CVE-2023-35078
     DIVD is notifying owners of vulnerable Ivanti MobileIron...
   * DIVD-2023-00030 - Citrix systems vulnerable for CVE-2023-3519
     DIVD is notifying owners of vulnerable Citrix ADC and Gateway systems,
     bas...
   * DIVD-2023-00029 - Critical Fortinet SSL-VPN RCE Vulnerability
     A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and
     FortiPr...
   * DIVD-2023-00028 - SQL Injection in MOVEit Transfer - CVE-2023-36934
     A new SQL Injection vulnerability has been found in MOVEit Transfer....
   * DIVD-2023-00027 - Ignite Realtime Openfire auth bypass - CVE-2023-32315
     Ignite Realtime Openfire version 3.10.0 through 4.6.8 (excluded) and 4.7.0
     ...
   * DIVD-2023-00026 - Apache Superset authentication bypass leads to RCE - CVE-
     Apache Superset, up to and including 2.0.1 vulnerable to bypass that can
     le...
   * DIVD-2023-00025 - Multiple vulnerabilities in Danfoss AK-SM800A
     Danfoss AK-SM800A has multiple web-related vulnerabilities. It is advised
     t...
   * DIVD-2023-00024 - SQL injection in GeoServer - CVE-2023-25157
     GeoServer has a critical SQL injection vulnerability....
   * DIVD-2023-00023 - SQL injection in MOVEit Transfer - CVE-2023-34362
     MOVEit Transfer has a critical SQL injection vulnerability that is
     actively...
   * DIVD-2023-00022 - OS command injection vulnerability of Zyxel firewalls
     Zyxel has released patches for an OS command injection vulnerability found
     ...
   * DIVD-2023-00021 - Multiple vulnerabilities in Danfoss AK-EM 100
     Danfoss AK-EM 100 has multiple web-related vulnerabilities. It is advised
     t...
   * DIVD-2023-00020 - PaperCut MF/NG Authentication Bypass
     This vulnerability allows remote attackers to bypass authentication on
     affe...
   * DIVD-2023-00017 - Cisco Small Business Router Authentication Bypass
     Cisco RV016, RV042, RV042G and RV082 contain an authentication bypass
     vulne...
   * DIVD-2023-00016 - GLPI Remote Code Execution
     GLPI version below 9.5.9 & 10.0.3 are vulnerable to Remote Code
     Execution...
   * DIVD-2023-00015 - Yeastar Configuration Panel Takeover
     Yeastar N412 and N824 Configuration Panels are vulnerable to
     unauthenticate...
   * DIVD-2023-00014 - Critical Broken Authentication Flaw in Jira Service Manag
     Vulnerable Jira Service Management Server and Data Center versions allow
     an...
   * DIVD-2023-00012 - Unauthenticated Remote Command Execution in IBM Aspera Fa
     IBM Aspera Faspex 4.4.1 could allow a remote attacker to execute arbitrary
     ...
   * All cases
 * CVEs
   * CVE-2023-25915 - Remote Command Execution in Danfoss AK-SM800A...
   * CVE-2023-25914 - Path Traversal in Danfoss AK-SM800A...
   * CVE-2023-25913 - Authentication Bypass in Danfoss AK-SM800A...
   * CVE-2023-25912 - Webreport disclosure to unauthorized actor in Danfoss
     AK-EM ...
   * CVE-2023-25911 - OS Command Injection in Danfoss AK-EM 100...
   * CVE-2023-22586 - Local File Inclusion in Danfoss AK-EM 100...
   * CVE-2023-22585 - Reflected Cross-Site Scripting in Danfoss AK-EM 100...
   * CVE-2023-22584 - Cleartext credentials in Danfoss AK-EM 100...
   * CVE-2023-22583 - SQL Injection in Danfoss AK-EM 100...
   * CVE-2023-22581 - White Rabbit Switch - Unauthenticated remote code
     execution...
 * CNA
 * Blog
   * 2023-07-10 : Limited disclosure of 6 vulnerabilities in OSNexus
     Quantastor...
   * 2023-02-24 : DIVD’s response regard the involvement of a DIVD volunteer in
     a major data ...
   * 2023-01-18 : Fox-IT and DIVD cooperate to warn owners of vulnerable Citrix
     servers...
   * 2022-12-14 : Fortinet sslvpnd vulnerability - update...
   * 2022-12-13 : Fortinet SSL VPN Vulnerability...
   * 2022-08-15 : Closing GeyNoise Ukraine Only case...
   * 2022-08-10 : Itarian Full disclosure...
   * 2022-08-09 : SmarterTrack Full disclosure...
   * 2022-06-08 : ITarian critical vulnerabilities...
   * 2022-06-03 : Confluence 0-day...
   * More...
 * Donate
 * Search...
 * RSS
 * Contact


DIVD-2023-00030 - CITRIX SYSTEMS VULNERABLE FOR CVE-2023-3519

Our reference DIVD-2023-00030 Case lead Lennaert Oudshoorn Researcher(s)
 * Yun Hu (Fox-IT)
 * Max Groot (Fox-IT)

CVE(s)
 * CVE-2023-3519
 * CVE-2023-3467
 * CVE-2023-3466

Products
 * Citrix ADC
 * Citrix Gateway

Versions
 * NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
 * NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
 * NetScaler ADC 13.1-FIPS before 13.1-37.159
 * NetScaler ADC 12.1-FIPS before 12.1-55.297
 * NetScaler ADC 12.1-NDcPP before 12.1-55.297
 * NetScaler ADC and NetScaler Gateway version 12.1 is End Of Life (EOL) and is
   vulnerable.

Recommendation Update your system to the latest patched version Patch status
Fully patched Status Open Last modified 11 Aug 2023 09:26


SUMMARY

Citrix has released a security bulletin notifying of three vulnerabilities in
Citrix NetScaler ADC and NetScaler Gateway products. One of these
vulnerabilities tracked as CVE-2023-3519 is an unauthenticated remote code
execution vulnerability. This would allow an attack to execute arbitrary
commands on a vulnerable exposed Citrix NetScaler ADC or Gateway. This is a
critical vulnerability, and Citrix urges recommends patching vulnerable systems.

Building upon the earlier notifications of vulnerable Citrix systems, Fox-IT /
NCC Group shared data of vulnerable systems that DIVD will notify. The scanning
method is published in the following blog post.


CVE-2023-3519 - UNAUTHENTICATED REMOTE CODE EXECUTION

This vulnerability will allow an attacker to execute arbitrary code on your
appliance which could result in the appliance being taken over remotely by an
attacker if it is “operating as a Gateway (VPN virtual server, ICA Proxy, CVPN,
RDP Proxy) or an AAA virtual server”.


WHAT YOU CAN DO

If your Citrix server hasn’t been updated to a secure version, we strongly
advise you to patch it, especially if you’re utilizing any of the following
features:

 * SSL VPN
 * ICA Proxy
 * CVPN
 * RDP Proxy
 * AAA virtual server

If you are not using one of these servers we still recommend that you patch to a
non-vulnerable version to prevent that your appliance becomes vulnerable when
you start using one of these functions in the future.


WHAT WE ARE DOING

Fox-IT / NCC Group has shared data of vulnerable systems. DIVD will notify
owners of vulnerable systems.


TIMELINE

Date Description 18 Jul 2023 Citrix releases a security bulletin for
CVE-2023-3519, CVE-2023-3467 and CVE-2023-3466 19 Jul 2023 DIVD starts notifying
owners of vulnerable systems

23 Jul 2023 30 Jul 2023 6 Aug 2023 13 Aug 2023 20 Aug 2023 27 Aug
2023DIVD-2023-00030 - Citrix systems vulnerable for CVE-2023-3519 (still open)
Citrix releases a security bulletin for CVE-2023-3519, CVE-2023-3467 and
CVE-2023-3466 DIVD starts notifying owners of vulnerable systems
CaseEventsDIVD-2023-00030 - Citrix systems vulnerable for CVE-2023-3519


MORE INFORMATION

 * Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519,
   CVE-2023-3466, CVE-2023-3467
 * Fox-IT blogpost by Yun Hu


 *  Twitter
 *  LinkedIn