What are Citrix NetScaler ADCs and Gateways? #

NetScaler Application Delivery Controller (ADC), formerly known as Citrix ADC, acts in a number of capacities to ensure reliable application delivery to users. This can include load balancing across application servers, off-loading of certain operations, security protections, and policy enforcement.

NetScaler Gateway, formerly known as Citrix Gateway, provides single sign-on (SSO) from any device to multiple applications through a single URL.

Latest Citrix vulnerability #

A new vulnerability was disclosed in NetScaler ADC and Gateway products for version 13.1-50.23. 

There is currently no associated CVE with this particular vulnerability because Citrix had already disclosed and issue with a previously assigned CVE-2023-4996.

What is the impact? #

The vulnerability would enable an attacker to remotely obtain sensitive information from a NetScaler appliance configured as a Gateway or AAA virtual server via a very commonly connected Web interface, and without requiring authentication. This bug is nearly identical to the Citrix Bleed vulnerability (CVE-2023-4966), except it is less likely to return highly sensitive information to an attacker.

Are updates or workarounds available? #

Citrix recommends customers update to version 13.1-51.15 or later.

How do I find potentially vulnerable systems with runZero? #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

product:netscaler

CVE-2023-3519 (July 2023) #

In July, 2023, Citrix alerted customers to three vulnerabilities in its NetScaler ADC and NetScaler Gateway products. Surfaced by researchers at Resillion, these vulnerabilities included a critical flaw currently being exploited in the wild to give attackers unauthenticated remote code execution on vulnerable NetScaler targets (CVE-2023-3519). Compromised organizations included a critical infrastructure entity in the U.S., where attackers gained access the previous month and successfully exfiltrated Active Directory data. And at the time of publication, there appear to be over 5,000 public-facing vulnerable NetScaler targets.

What was the impact? #

The three reported vulnerabilities affecting NetScaler ADC and Gateway products were of various types, and each include different preconditions required for exploitation:

• Unauthenticated remote code execution (CVE-2023-3519; CVSS score 9.8 – “critical”)
  • Successful exploitation required the NetScaler target be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or “authentication, authorization, and auditing” (AAA) virtual server.
• Reflected cross-site scripting (XSS) (CVE-2023-3466; CVSS score 8.3 – “high”)
  • Successful exploitation required the victim to be on the same network as the vulnerable NetScaler target when the victim loaded a malicious link (planted by the attacker) in their web browser.
• Privilege escalation to root administrator (nsroot) (CVE-2023-3467; CVSS score 8.0 – “high”)
  • Successful exploitation required an attacker having achieved command-line access on a vulnerable NetScaler target.

U.S.-based CISA reported attackers exploiting CVE-2023-3519 to install webshells used in further network exploration and data exfiltration, causing CVE-2023-3519 to be added to CISA’s Known Exploited Vulnerabilities Catalog. Other common attacker goals, like establishing persistence, lateral movement, and malware deployment, were all potential outcomes following successful exploitation.

Citrix made patched firmware updates available. Admins were advised to update older firmware on vulnerable NetScaler devices as soon as possible.

CISA also made additional information available around indicators of compromise and mitigations.

How did runZero customers find potentially vulnerable NetScaler instances with runZero? #

From the Asset inventory, they used the following prebuilt query to locate NetScaler instances on their network:

hw:netscaler or os:netscaler

Results from the above query should be triaged to verify they are affected ADC or Gateway products and if they are running updated firmware versions.

The following query could also be used in on the Software and Services inventory pages to locate NetScaler software:

product:netscaler

Results from the above query should be triaged to verify they are affected ADC or Gateway products and if they are updated versions.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

Latest Rockwell Automation vulnerabilities #

Rockwell Automation has disclosed a vulnerability in their ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR products.

CVE-2024-3493 is rated high with CVSS score of 8.6 involves a specific malformed fragmented packet type which can cause a major nonrecoverable fault (MNRF) in Rockwell Automation’s ControlLogix 5580, Guard Logix 5580, CompactLogix 5380, and 1756-EN4TR. If exploited, the affected product will become unavailable and require a manual restart to recover it.

What is the impact? #

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

Are updates or workarounds available? #

Rockwell Automation has provided software updates for the impacted versions.

How do I find potentially vulnerable systems with runZero? #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:"1756-EN4TR"

Rockwell Automation PowerFlex 527 vulnerabilities (March 2024) #

In March 2024, Rockwell Automation disclosed multiple vulnerabilities in their PowerFlex 527 product.

CVE-2024-2425 and CVE-2024-2426 are both rated high with CVSS score of 7.5 and both involve improper input validation which could cause a web server to crash and CIP communication disruption, respectively, which leads to requiring manual restarts.

CVE-2024-2427 is rated high with CVSS score of 7.5 and indicates a denial-of-service scenario due to improper network packet throttling which causes a device to crash and require a manual restart.

What was the impact? #

Successful exploitation of these vulnerabilities result in devices becoming inaccessible remotely and crashing and then require manual intervention to restart them.

Are updates or workarounds available? #

Rockwell Automation does not currently have a fix for these vulnerabilities. Users of the affected software are encouraged to apply risk mitigations and security best practices, where possible.

Users should disable the web server if it is not needed, which should be disabled by default. Additionally, users should ensure these devices are isolated in their own networks to prevent unwanted packets flooding the device.

How do I find potentially vulnerable systems with runZero? #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw.product:"powerflex"

Latest CVE-2024-3094 (XZ Utils backdoor) coverage 

Andres Freund discovered a malicious backdoor in a recent revision of the XZ Utils package. This backdoor was introduced by a threat actor who spent years building trust in the open source community before taking over maintenance of the XZ Utils project. After gaining access as a maintainer, the threat actor introduced the malicious code in multiple obfuscated steps. This backdoor could allow the threat actor to run arbitrary commands without authentication through the OpenSSH daemon.

CVE-2024-3094 is rated critical with CVSS score of 10.0.

An overview of this issue can be found at ArsTechnica.

Russ Cox published a detailed timeline.

What is the impact?

Successful exploitation of this backdoor would allow the actor responsible to run arbitrary system commands without authentication.

Anthony Weems built a fantastic proof-of-concept and demo kit for reproducing the backdoor.

Are updates or workarounds available?

This backdoor was enabled when a build was run on an x86_64 (amd64) system that was building a Debian “DEB” or Red Hat “RPM” package. The issue was caught prior to widespread release and the list of affected distributions is small as a result.

The following distributions shipped a combination of packages that resulted in a backdoored SSH daemon:

• Red Hat Fedora Linux (Rawhide)
• Debian Linux (unstable and testing builds)
• Kali Linux (rolling release)
• OpenSUSE Linux (Tumbleweed & MicroOS)

Additional information about this issue can be found across the web and in various distribution-specific trackers:

• Amazon Linux
• Ubuntu Linux
• Gentoo Linux
• Arch Linux
• Alpine Linux
• GitHub Advisory

How to find potentially affected systems with runZero

The runZero team is investigating whether a direct check against SSH is possible.

In the meantime, we suggest using this runZero Service Inventory query:

_asset.protocol:ssh protocol:ssh (banner:="SSH-2.0-OpenSSH_9.6" OR banner:="SSH-2.0-OpenSSH_9.6p1%Debian%" OR banner:="SSH-2.0-OpenSSH_9.7p1%Debian%")

This query is based on the following logic:

1. Identify any instances of Fedora Rawhide or OpenSUSE Tumbleweed & MicroOS in your environment. The easiest way to find potentially affected installations is to look for OpenSSH servers running version 9.6, which is a recent release specific to those rolling distributions.

2. Identify any instances of Debian or Kali rolling builds. The easiest way to do this is by looking for recently-released (9.6 & 9.7) Debian-flavored OpenSSH services, as these packages were shipped in the Debian unstable and Kali Linux rolling releases.

Fortra has disclosed a vulnerability in their FileCatalyst Workflow product. This vulnerability allows for attackers to write files to arbitrary locations in the filesystem and can lead to arbitrary remote code execution with the privileges of the vulnerable service.

This vulnerability has been assigned CVE-2024-25153 and is considered to be highly critical, with a CVSS score of 9.8.

Note that this vulnerability was reported and fixed in August of 2023, but has only recently been assigned a CVE.

What is the impact?

Successful exploitation of this vulnerability would allow attackers to execute arbitrary code with the privileges of the vulnerable service, potentially leading to complete system compromise.

Are updates or workarounds available?

Fortra has released a fix for this vulnerability and advises all users to upgrade if they have not already done so.

How do I find potentially vulnerable systems with runZero?

From the Service Inventory, use the following query to locate systems running potentially vulnerable software:

html.title:”FileCatalyst”

Latest Siemens vulnerabilities 

Siemens has released security advisories for a variety of products and devices, including the SENTRON, SCALANCE, and RUGGEDCOM product lines.

Several of the vulnerabilities have CVSS scores in the 7.0 to 8.9 range (high) and several more in the 9.0 to 10.0 range (critical).

For a full list of vulnerabilities, please consult Siemens ProductCERT.

What is the impact?

Several of these vulnerabilities allow for unauthenticated remote code execution, allowing for compromise of the vulnerable systems. Other vulnerabilities may lead to privilege escalation, information disclosure, or denial of service. Users are urged to upgrade as quickly as possible.

Are updates or workarounds available?

Siemens has released updates via a variety of channels. See Siemens ProductCERT for details.

How do I find potentially vulnerable systems with runZero?

From the Asset Inventory, use the following query to locate Siemens assets that may be vulnerable:

hardware:Siemens OR hardware:RuggedCom