Don't just patch your Citrix gear, check for intrusion: Two bugs exploited in wild

Updated Miscreants are actively exploiting critical bugs in two of Citrix's products, both of which the business IT player fixed earlier this summer.

Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday warned that criminals have exploited CVE-2023-24489, a 9.8-of-10-severity improper-access-control bug in Citrix ShareFile.

ShareFile is the vendor's collaboration and file sharing application, and it allows enterprises to store files in the cloud or in an on-premises data center.

Citrix sounded the alarm about that security flaw on June 13, and warned that the vulnerability, if exploited, "could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller."

This flaw affects all supported versions of customer-managed ShareFile storage zones controller before version 5.11.24, and upgrading to the latest version will plug the hole, Citrix said at the time. That version was released in May to squash the bug, a month before the tech outfit went public with details of the flaw.

Now the bug has been added to CISA's Known Exploited Vulnerabilities Catalog of stuff that should be fixed as soon as possible because it's under attack in the wild.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," the Feds warned, and set a September 6 deadline by which US federal civilian agencies must patch the flaw.

And just in case anyone needs proof that managed file transfer services are, in fact, very attractive targets for criminals: look no further than the MOVEit ransacking by Russian ransomware crew Clop, which has now compromised more than 650 organizations and 46 million individuals.

Citrix did not respond to The Register's inquiries.

Backdoored NetScaler boxes

Meanwhile, another critical Citrix bug, this one in NetScaler and tracked as CVE-2023-3519, is also being used to compromise hundreds of servers, according to Fox-IT researchers.

CVE-2023-3519 is a code-injection vulnerability, and it also received a 9.8 CVSS severity score. It can, and has been, exploited for remote code execution.

Citrix issued a security alert about this CVE and two others on July 18. At the time, the vendor warned that "exploits of CVE-2023-3519 on unmitigated appliances have been observed."

According to Mandiant, the likely culprits are China-based cyberspies, though the evidence is murky. 

"Mandiant cannot attribute this activity based on the evidence collected thus far, however, this type of activity is consistent with previous operations by China-nexus actors based on known capabilities and actions against Citrix ADC's in 2022," the Google-owned threat intel team said. 

Plus, there's also proof-of-concept exploit code on GitHub, so at this point it's not too difficult for anyone to abuse this hole.

In a report published on Tuesday, Fox-IT in collaboration with the Dutch Institute of Vulnerability Disclosure said they've "uncovered a large-scale exploitation campaign" abusing this vulnerability to backdoor Citrix NetScalers appliances.

• Medical files of 8M-plus people fall into hands of Clop via MOVEit mega-bug
• Citrix patches critical ADC flaw the NSA says is already under attack from China
• Can 'Mad Libs for incident response' prevent the next MOVEit fiasco?
• PowerShell? More like PowerHell: Microsoft won't fix flaws in package gallery ripe for supply chain attacks

According to the researchers, 31,127 public-facing NetScalers servers were found vulnerable to CVE-2023-3519, and as of August 14, some 1,828 had been compromised and backdoored. And of those backdoored servers, 1,248 were patched.

"A patched NetScaler can still contain a backdoor," Fox-IT noted. "It is recommended to perform an indicator-of-compromise check on your NetScalers, regardless of when the patch was applied."

There's a couple of ways to do this. Fox-IT has released a Python script that uses Dissect to perform triage on forensic images of NetScalers.

And also this week, Mandiant provided a Bash-script to check for indicators-of-compromise on live systems. 

"Be aware that if this script is run twice, it will yield false positive results as certain searches get written into the NetScaler logs whenever the script is run," Fox-IT warned. ®

Updated to add

A spokesperson for Citrix ShareFile has been in touch with some facts and figures they wanted you to know. The rep confirmed that its customers had been attacked via the CVE-2023-24489 flaw, though attempted to play it down: "While there was a spike to 75 attacks following this, this died down immediately given that the issue has been addressed."

"The incident affected less than three percent of our install base (2,800 customers)," they claimed. "There is no known data theft from this incident."

The spinner also told us more than 80 percent ShareFile customers had patched their environments using the May update before the vulnerability was made public in June.