“The vulnerability we identified only requires the device to be configured as a gateway or AAA virtual server, and to expose a specific vulnerable route that seems to be enabled by default on some installations, but not others (we’re not yet sure what causes this variance),” the Bishop Fox researchers said. “Given the lack of SAML requirement, we believe that this stack overflow is CVE-2023-3519, and the SAML parser bug is a separate vulnerability which was silently patched without an associated advisory.”
Researchers from Assetnote confirmed Monday after additional investigation that there indeed appears to be two separate remote code execution flaws, one that doesn’t require SAML and is likely CVE-2023-3519 and the SAML-dependent one they initially found.
CVE-2023-3519 was zero-day vulnerability
According to a CISA advisory released Thursday, attackers have been exploiting the CVE-2023-3519 flaw since June to deploy webshells on appliances. This means the vulnerability had zero-day status — publicly known and unpatched — for around a month.
According to CISA, the attack was detected on a NetScaler appliance belonging to a critical infrastructure organization and the attackers used the webshell — a web-based backdoor script — to scan the victim’s Active Directory (AD) environment and to exfiltrate data about it.
The attackers subsequently attempted to move laterally to a domain controller on the network but were blocked by network segmentation policies. The attackers also deployed a second PHP-based webshell with proxying capabilities to proxy SMB traffic to the targeted domain controller.”
“The actors deleted the authorization configuration file (/etc/auth.conf)–likely to prevent configured users (e.g., admin) from logging in remotely (e.g., CLI),” CISA said. “To regain access to the ADC appliance, the organization would normally reboot into single use mode, which may have deleted artifacts from the device; however, the victim had an SSH key readily available that allowed them into the appliance without rebooting it.” Bishop Fox worked with the GreyNoise intelligence service, which maintains a network of sensors to track automated exploitation attempts. Since detection was added on July 21, no exploitation attempts were observed by GreyNoise. This doesn’t mean that targeted attacks like the one in June are not happening. Now that more details about the vulnerability are available other attackers might develop exploits and the number of attacks might increase. The fact that 53% of publicly exposed NetScaler ADC appliances have yet to deploy the patches is concerning.