Tracked as CVE-2023-3519 (CVSS score: 9.8), the issue is related to a case of code injection that can result in unauthenticated remote code execution. This affects the following versions –
- Netscaler ADC and Netscaler Gateway 13.1 before 13.1-49.13
- Netscaler ADC and Netscaler Gateway 13.0 before 13.0-91.13
- Netscaler ADC and Netscaler Gateway version 12.1 (currently end of life)
- Netscaler ADC 13.1-FIPS before 13.1-37.159
- Netscaler ADC 12.1-FIPS before 12.1-55.297, and
- Netscaler ADC 12.1-NDcPP before 12.1-55.297
The company did not provide further details about the vulnerability associated with CVE-2023-3519, except that exploits of the vulnerability have been observed on “unlimited devices”. However, successful exploitation requires the device to be configured as a gateway (VPN virtual server, ICA proxy, cVPN, RDP proxy) or authorization and accounting (AAA) virtual server.
Two other bugs are also addressed with CVE-2023-3519 –
- CVE-2023-3466 (CVSS Score: 8.3) – An unpatched input validation vulnerability resulted in a reflective cross-site scripting (XSS) attack
- CVE-2023-3467 (CVSS score: 8.0) – An unpatched privilege management vulnerability resulted in elevation of privilege to a root administrator (NSRoot)
Reporting of the bug is credited to Wouter Rijkbost and Jören Guerts of Resilient. Patches have been provided to address the three vulnerabilities in the following versions −
- Netscaler ADC and Netscaler Gateway 13.1–49.13 and later releases
- Netscaler ADC and Netscaler Gateway 13.0-91.13 and later releases of 13.0
- Netscaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- Netscaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS, and
- Netscaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP
Customers of Netscaler ADC and Netscaler Gateway version 12.1 are advised to upgrade their equipment to a supported version to mitigate the potential risks.
This development comes amid active exploits of security flaws discovered in Adobe ColdFusion (CVE-2023-29298 and CVE-2023-38203) and the WooCommerce Payments WordPress plugin (CVE-2023-28121).
Leaving security flaws in WordPress plugins could open the door to full compromise, enabling threat actors to re-use compromised WordPress sites for other malicious activities.
Last month, Eisentyre disclosed an attack campaign called Nitrogen that used infected WordPress sites to host malicious ISO image files that, when launched, contacted remote servers to fetch additional payloads including Python scripts. Used to do Capable of resulting in the deployment of rogue DLL files. and Cobalt Strike.