- 169/2023
- Critical
Citrix has released security updates to address several vulnerabilities in Citrix ADC, and Citrix Gateway.
The addressed vulnerabilities could allow the remote attacker to gain access, execute arbitrary code, perform cross-site scripting attacks, or gain elevated privileges on the affected systems.
The addressed vulnerabilities:
1. Citrix ADC, Citrix Gateway Unauthenticated Remote Code Execution (CVE- 2023-3519):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Citrix ADC, Citrix Gateway Reflected Cross-Site Scripting (CVE-2023-3466):
- CVSS: 8.3
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Consequences: Cross-Site Scripting
3. Citrix ADC, Citrix Gateway Privilege Escalation to root Administrator (nsroot) (CVE-2023-3467):
- CVSS: 8
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privileges
It should be highlighted that Citrix is aware of a public exploit that exists in the wild for this zero-day vulnerability (CVE-2023-3519).
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) so Citrix recommends customers who are using an EOL version to upgrade their appliances to one of the supported fixed versions.
Vulnerabilities
- CVE-2023-3519
- CVE-2023-3466
- CVE-2023-3467
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.