Malicious actors have targeted hundreds of Citrix NetScaler ADC and Gateway servers to deploy web shells.

The attacks exploit a critical code injection vulnerability known as CVE-2023-3519 which can lead to unauthenticated remote code execution. This flaw was addressed by Citrix in a patch released last month and carries a CVSS score of 9.8. The Shadowserver Foundation, a non-profit organisation, reported on the breach, revealing that the highest number of impacted IP addresses are located in Germany, followed by France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had previously disclosed the exploitation of CVE-2023-3519 in an attack against an undisclosed critical infrastructure organisation in June 2023.

Citrix ShareFile Software Vulnerability

Apart from CVE-2023-3519, another critical flaw affecting Citrix ShareFile software was discovered by the cybersecurity community. Known as CVE-2023-24489, this vulnerability carried a CVSS score of 9.1 and allowed for unauthenticated arbitrary file upload and remote code execution. The security issue was effectively resolved in ShareFile storage zones controller version 5.11.24 and later.

Attack Surface Management and Padding Oracle Attack:

Assetnote, an attack surface management firm, played a crucial role in identifying and reporting the vulnerability exploited in Citrix NetScaler ADC and Gateway servers. The flaw was traced to a simpler version of a padding oracle attack, which took advantage of the default values for AES encryption in .NET, namely Cipher Block Chaining mode and PKCS#7 padding. Security researcher Dylan Pindur emphasised the importance of understanding how the encryption behaves when provided with invalid or valid padding, as certain differences could lead to potential padding oracle attacks.

Conclusion:

The recent breach of Citrix NetScaler ADC and Gateway servers highlights the importance of promptly addressing critical vulnerabilities and implementing necessary security patches. Cyberattacks exploiting vulnerabilities like CVE-2023-3519 and CVE-2023-24489 can have severe consequences for organisations, leading to unauthorised access and potential data breaches. Proactive measures, such as regular security updates and monitoring for suspicious activities, are highly recommended to safeguarding critical infrastructure and sensitive information.

andersenIT recommends that organisations maintain a robust cybersecurity posture to defend against emerging threats. Our team of experts can help businesses identify and mitigate vulnerabilities in their critical IT infrastructure ensuring that all systems remain protected from potential exploits. To ensure that your Citrix environment is safe and protected, please contact us at enquiry@andersenIT.com.au or fill out the form below.