What is CVE-2023-3519 Code Execution Vulnerability ?
"On July 18, 2023, Citrix released a security advisory regarding a critical security vulnerability with a CVSS score of 9.8, identified as CVE-2023-3519, for Citrix NetScaler ADC (formerly known as Citrix ADC) and NetScaler Gateway (formerly known as Citrix Gateway). This security vulnerability has garnered significant attention in the past few days, with numerous reports claiming it is being exploited as a zero-day attack, where threat actors are leaving a web shell on organizations' critical infrastructure.
Citrix's advisory also includes additional security vulnerabilities affecting NetScaler users:
CVE-2023-3466 - A reflected Cross-Site Scripting (XSS) vulnerability requiring access to a link controlled by an attacker in a browser. The NetScaler IP (NSIP) address is the IP address you use to access NetScaler for administrative purposes.
CVE-2023-3467 - A Privilege Escalation vulnerability requiring authenticated access with management interface to NSIP or SNIP. A subnet IP address (SNIP) is an IP address belonging to NetScaler used for communication with servers.
Fix Update
A newly discovered vulnerability, CVE-2023-3519, affects NetScaler ADC and NetScaler Gateway applications.
Update Your Application: If your ADC or Gateway version is lower than the following version numbers, Zscaler strongly recommends upgrading to a secure version.
NetScaler ADC and NetScaler Gateway version 13.1 prior to 13.1-49.13
NetScaler ADC and NetScaler Gateway version 13.0 prior to 13.0-91.13
NetScaler ADC version 13.1-FIPS prior to 13.1-37.159
NetScaler ADC version 12.1-FIPS prior to 12.1-55.297
NetScaler ADC version 12.1-NDcPP prior to 12.1-55.297
CVE-2023-3519 may allow an unauthenticated threat actor to trigger a stack buffer overflow in the NetScaler Packet Processing Engine (nsppe) process by sending a specially crafted HTTP GET request. Since nsppe runs as root, a successful exploitation would likely result in arbitrary code execution as 'root.'
Here is an example of an HTTP request made using the GET method:
The proof-of-concept (PoC) for CVE-2023-3519 for Citrix ADC can be found on GitHub.
GitHub - BishopFox/CVE-2023-3519: RCE exploit for CVE-2023-3519
RCE exploit for CVE-2023-3519. Contribute to BishopFox/CVE-2023-3519 development by creating an account on GitHub.
github.com
Attack Chain
A threat actor can exploit CVE-2023-3519 by uploading files containing malicious webshells and scripts, thereby gaining the ability to scan networks and extract sensitive information.
Configuration files of a server contain encrypted passwords on the same server, which can be viewed and deciphered with decryption keys also present on the server. Therefore, configuration files become an exposed target for threat actors. By decrypting Active Directory credentials, a threat actor can obtain a wide range of information, including:
Details about users
Computers
Groups
Subnets
Initial Access - According to CISA, a threat actor can upload a TGZ file (a compressed archive created using GZIP) containing a general web shell, reconnaissance script, and setuid binary file to Citrix's NetScaler Application Delivery Controller (ADC) application. Through the web shell, the threat actor can execute remote commands on the compromised system and establish a reliable command and control channel.
Privilege Escalation - The uploaded TGZ file contains a setuid binary file that threat actors use to exploit the Privilege Escalation Mechanism and gain elevated permissions on a system.
Credential Access - A threat actor can discover an encrypted password using NetScaler configuration files stored in /flash/nsconfig/keys/updated/* and /nsconfig/ns.conf. They can decrypt the password using the key stored in the ADC application. Using these keys, Active Directory credentials are deciphered from the configuration file.
Discovery - Using the newly obtained decrypted credentials, the threat actor queries trusted domains, organizational units (OUs), computers, users, and more within the network. This information can later be used for lateral movement or privilege escalation.
Collection - The threat actor uses the 'tarball' command to compress collected data and 'openssl' for encryption. The following command is used to collect compromised data from the infected system:
Kod:
tar -czvf - /var/tmp/all.txt | openssl des3 -salt -k <> -out /var/tmp/test.tar.gzEvasion - To bypass detection engines, the leaked data can be uploaded to a web-accessible path as an image file using the following command:
Kod:
cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.pngAccording to public reports, a segmented environment where ADC applications were deployed hindered threat actors from discovering critical infrastructure. Threat actors attempted:
Running the curl command on a subnet-wide scale to identify accessible and potential lateral movement targets within the network.
Attempting to verify outbound network connectivity using the ping command (ping -c 1 google.com).
Running host commands for DNS queries on a subnet-wide scale.
As reported, threat actors also attempted to delete their own artifacts. They deleted the authorization configuration file (e.g., /etc/auth.conf) to prevent configured users (e.g., admin) from remotely (e.g., CLI) logging in. Typically, an organization might need to reboot the device into single-user mode to regain access to the ADC application (which could erase artifacts from the device). However, in this case, the victim used an SSH key on standby to access the device without rebooting. Post-attack lateral movement attempts by threat actors were also thwarted by network segmentation controls. Threat actors inserted and subsequently removed a second web shell on the victim's device. This was likely a PHP shell with proxy capabilities. Threat actors likely used this to attempt to redirect SMB traffic to the DC (the victim observed attempts to authenticate to the DC via ADC using previously decrypted AD credentials via a virtual machine). Firewall and account restrictions (allowing only specific internal accounts to authenticate to the DC) were used to block this activity.
Affected Products
The following supported versions of NetScaler ADC and NetScaler Gateway are impacted by these security vulnerabilities:
NetScaler ADC and NetScaler Gateway version 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway version 13.0 before 13.0-91.13
NetScaler ADC version 13.1-FIPS before 13.1-37.159
NetScaler ADC version 12.1-FIPS before 12.1-55.297
NetScaler ADC version 12.1-NDcPP before 12.1-55.297
Mitigation Methods
Zscaler strongly advises affected customers of NetScaler ADC and NetScaler Gateway to promptly install the relevant updated versions as follows:
For NetScaler ADC and NetScaler Gateway 13.1-49.13 and subsequent versions
For NetScaler ADC and NetScaler Gateway 13.0-91.13 and subsequent versions
For NetScaler ADC 13.1-FIPS 13.1-37.159 and subsequent versions
For NetScaler ADC 12.1-FIPS 12.1-55.297 and subsequent versions
For NetScaler ADC 12.1-NDcPP 12.1-55.297 and subsequent versions
Source : https://www.turkhackteam.org/konular/cve-2023-3519-kod-yurutme-acigi-nedir.2046822/
