On July 19, 2023, NIST published a vulnerability designated CVE-2023 – 3519 in Citrix NetScaler ADC and NetScaler Gateway. The vulnerability is a “Code Injection” type, which can allow an attacker to inject and execute unauthorized code or commands which can change the way an application behaves. The attacker may be able to propagate viruses or worms. This could lead to compromised data, denied access to resources, and possibly a complete host takeover.
A “Code Injection” attack is where a malicious actor uses a known vulnerability to inject untrusted data into an interpreter. This can be in a number of platforms — SQL, Operating System commands, XML parsers, LDAP. This results in a change in the behavior of the tool that is reading or digesting the submitted data. In some cases, this change allows for the actor to further compromise the system, possibly with the ability to gain elevated privileges and further the attack or to use the environment as a platform to launch other attacks.
Severity and impact
NIST has assigned a Base Score of 9.8 Critical to CVE-2023 – 3519, and Citrix has classified the Severity as “Critical” per this Citrix knowledge center article.
Response Step 1: Determine if you are at risk
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1−49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0−91.13
- NetScaler ADC 13.1‑FIPS before 13.1−37.159
- NetScaler ADC 12.1‑FIPS before 12.1−55.297
- NetScaler ADC 12.1‑NDcPP before 12.1−55.297
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End of Life (EOL) and is vulnerable.
To assess whether your third parties are vulnerable, customers can access the NetScaler ADC and NetScaler Gateway Vulnerability Questionnaire in the Whistic platform in our Questionnaire Standards Library.
Step 2: Solutions according to Citrix Support Knowledge Center
Update to appropriate version in the list below:
- NetScaler ADC and NetScaler Gateway 13.1−49.13 and later releases
- NetScaler ADC and NetScaler Gateway 13.0−91.13 and later releases of 13.0
- NetScaler ADC 13.1‑FIPS 13.1−37.159 and later releases of 13.1‑FIPS
- NetScaler ADC 12.1‑FIPS 12.1−55.297 and later releases of 12.1‑FIPS
- NetScaler ADC 12.1‑NDcPP 12.1−55.297 and later releases of 12.1 NDcPP
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
Does this affect Whistic?
As a result of our investigation, we have determined that this vulnerability, CVS-2023 – 3519, does not directly impact Whistic.