Fix Citrix ADC Gateway Remote Code Execution Vulnerability – Step-by-Step Security Patch Guide

Fix Citrix ADC Gateway Remote Code Execution Vulnerability 

 I. Foreword

A risk advisory from Citrix regarding NetScaler ADC and NetScaler Gateway, with vulnerability ID CVE-2023-3519.Vulnerability level: Critical, Vulnerability score: 9.8

Vulnerability Impact: Hackers can use this vulnerability to bypass any authentication and directly access the shell on NetScaler devices configured with Gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or AAA virtual server, then penetrate the internal network to perform illegal operations (Test environment has been verified).

Understanding the Citrix ADC Gateway RCE Vulnerability

Citrix ADC (formerly NetScaler) Gateway is widely used for secure remote access to corporate networks. Recently, a Remote Code Execution (RCE) vulnerability was discovered, allowing attackers to execute arbitrary commands on unpatched appliances. This vulnerability is often referenced in Citrix Security Bulletins and tracked under a CVE (Common Vulnerabilities and Exposures) ID.

If exploited, attackers can:

• Gain unauthorized administrative access.

• Install malware or backdoors.

• Exfiltrate sensitive corporate data.

• Disrupt business-critical services.

Check If Your Citrix ADC is Vulnerable

1. Log in to the Citrix ADC CLI or web UI.

2. Check your software build number using:

     
   show version
   

3. Compare against Citrix’s latest security advisory.

II. Experimental Results

The figure shows that by using Kali, bypassing the NetScaler management interface, and entering shell mode. The image below is a screenshot of the test environment verification, and the verification steps have been omitted.

III. Affected Versions (CVE-2023-3519)

You can check if your current version is within the affected range based on the list below.

Component	Affected Version	Secure Version
Citrix: NetScaler ADC, NetScaler Gateway	13.0 < 13.0-91.13	13.0 >= 13.0-91.13
Citrix: NetScaler ADC, NetScaler Gateway	13.1 < 13.1-49.13	13.1 >= 13.1-49.13
Citrix: NetScaler ADC	12.1-FIPS < 12.1-55.297	12.1-FIPS >= 12.1-55.297
Citrix: NetScaler ADC	12.1-NDcPP < 12.1-55.297	12.1-NDcPP >= 12.1-55.297
Citrix: NetScaler ADC	13.1-FIPS < 13.1-37.159	13.1-FIPS >= 13.1-37.159

IV. Preparations before upgrading

1. We will mainly demonstrate upgrading Citrix ADC 8910 (hardware). The current version is Release: NS13.1 33.47.nc. 

Upgrade tool: MobaXterm (SSH login to execute commands and upload files)

2. Back up the configuration file, open the location shown in the figure: System->Backup and Restore

3. Enter the backup name, as shown in Figure 

4. Select to download the file and save it locally for easy recovery.

V. Command line upgrade steps

1. Log in to SSH, save the configuration, and save nsconfig

2. Upload the upgrade package to the directory var/nsinstall. The version is: build-13.1-49.13_nc_64.

3. Unzip the file, tar -zxvf build-13.1-49.13_nc_64.tgz

4. Click Install

5. Restart

6. Upgrade completed

7. After the upgrade is completed, to prevent occupying space, the installation package needs to be deleted

V. GUI interface upgrade steps

1. Log in to the Citrix ADC Web page

2. Open the update path

3. Select the upgrade package

4. Click Upgrade

5. Restart after the upgrade is completed.

By following this guide, you protect your Citrix ADC Gateway from one of the most dangerous threats in recent years — a remote code execution attack that could compromise your entire network.