A new exploit technique targeting a recent Citrix Application Delivery Controller (ADC) and Gateway vulnerability can be used against thousands of unpatched devices, cybersecurity firm Bishop Fox claims.
Tracked as CVE-2023-3519 and patched last week, the critical-severity bug can be exploited to execute arbitrary code remotely, without authentication, on vulnerable appliances that are configured as a gateway or AAA virtual server.
Last week, CISA warned that attacks exploiting the flaw have been seen since June 2023, in at least one case targeting a critical infrastructure organization.
On Friday, Bishop Fox warned of a new way to exploit the vulnerability, one that can be used against any appliance that is set as a gateway or AAA virtual server and which exposes a specific route that is enabled by default on certain installations.
“The vulnerability is a simple unauthenticated stack overflow. This is made significantly worse by the fact that exploit mitigations do not protect the vulnerable function on some versions,” Bishop Fox notes.
“The vulnerable binary is compiled without PIE and with an executable stack, and on the VPX version, there is no stack canary. As a result, exploitation is trivial. Our exploit cleanly returns without crashing the vulnerable process,” the cybersecurity firm continues.
The exploit, the company says, is different from previously detailed exploitation techniques and does not require SAML to be enabled. However, technical details on the identified vulnerable route are not being disclosed now.
Bishop Fox also notes that their analysis of the vulnerable appliances revealed the existence of roughly 61,000 Citrix Gateway login pages that are accessible from the internet, with more than half of these devices (roughly 32,000) unpatched against CVE-2023-3519.
Furthermore, the company claims that roughly 21,000 appliances that are unpatched also expose the vulnerable route, which renders them prone to the new exploitation technique.