In a concerning development for cybersecurity, hundreds of Citrix NetScaler ADC and Gateway servers have fallen victim to malicious actors who exploited a critical code injection vulnerability. Referred to as CVE-2023-3519, this flaw could potentially lead to unauthenticated remote code execution.
Details of the vulnerability
The code injection vulnerability, which Citrix addressed through a patch last month, carries a CVSS score of 9.8. This high score underscores the severity and potential impact of the flaw. Such a vulnerability can expose organizations to significant risks and leave them vulnerable to cyberattacks.
Scope of the breach
The reach of this breach spans across several countries. The largest number of impacted IP addresses is found in Germany, followed by France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil. This highlights the global impact of the vulnerability and the need for organizations worldwide to remain vigilant in their cybersecurity efforts.
Previous disclosures
The exploitation of CVE-2023-3519 to deploy web shells was previously disclosed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This highlights the importance of promptly addressing and mitigating such vulnerabilities by organizations to prevent unauthorized access and potential data breaches.
Discovery of an Additional Flaw
In addition to the CVE-2023-3519 exploit, another critical flaw in Citrix ShareFile software, known as CVE-2023-24489, was recently detected. GreyNoise, a cybersecurity firm, reported three IP addresses attempting to exploit this vulnerability. Citrix has promptly addressed the issue in ShareFile storage zones controller version 5.11.24 and subsequent updates.
Technical details of the bug
The bug present in Citrix ShareFile software can be traced back to a simpler version of a padding oracle attack. It has been identified that the default values for AES encryption in .NET are Cipher Block Chaining (CBC) mode and PKCS#7 padding. A potential padding oracle attack can be identified by observing how the system behaves when a different type of padding is provided. This technical insight highlights the complexity of the vulnerability and the importance of strong cybersecurity measures.
These recent breaches of Citrix NetScaler ADC and Gateway servers shed light on the critical need for organizations to promptly patch vulnerabilities and ensure robust cybersecurity measures. The exploitation of the CVE-2023-3519 and CVE-2023-24489 vulnerabilities demonstrates the constant and evolving threats faced by businesses and individuals alike. It is crucial that organizations remain proactive in their approach, regularly updating and patching their systems to prevent unauthorized access and potential data breaches. These incidents serve as a reminder of the ever-present risks and the need for continuous vigilance in safeguarding sensitive information.