The Department of Information and Communications Technology (DICT) through the National Cyber Security Center (NCSC) issues this advisory to alert all PNG Government departments, agencies, and organizations about critical vulnerabilities discovered in Citrix ADC and Citrix Gateway products.
Citrix, a prominent provider of networking and cloud computing technologies, recently released a security bulletin on July 18, 2023, highlighting multiple critical vulnerabilities in their NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products. These vulnerabilities pose significant risks as they could compromise the confidentiality, integrity, or availability of affected systems.
The identified vulnerabilities are categorized under the Common Vulnerabilities and Exposures (CVE) system with the following reference numbers: CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467. If successfully exploited, these vulnerabilities grant unauthorized control over the targeted systems to attackers.
Citrix has already identified active exploits of one of these critical vulnerabilities, specifically CVE-2023-3519, affecting unpatched appliances. Of utmost concern, the exploitation of this vulnerability necessitates that the device be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server.
The vulnerable versions of Citrix ADC and Citrix Gateway that require immediate attention are as follows:
1. NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
2. NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
3. NetScaler ADC 13.1-FIPS before 13.1-37.159
4. NetScaler ADC 12.1-FIPS before 12.1-55.297
5. NetScaler ADC 12.1-NDcPP before 12.1-55.297
To safeguard your organization’s systems and data, DICT and NCSC strongly recommend taking the following actions:
1. Review Networks: All PNG Government departments, agencies, and organizations are urged to conduct a comprehensive review of their networks to identify any instances of Citrix NetScaler ADC and NetScaler Gateway that are vulnerable.
2. Install Updates: If your organization is utilizing any of the vulnerable versions mentioned above, it is imperative to install the relevant updates provided by Citrix without delay. The fixed versions addressing these vulnerabilities are:
• NetScaler ADC and NetScaler Gateway 13.1: 13.1-49.13 and later releases
• NetScaler ADC and NetScaler Gateway 13.0: 13.0-91.13 and later releases
• NetScaler ADC 13.1-FIPS: 13.1-37.159 and later releases
• NetScaler ADC 12.1-FIPS: 12.1-55.297 and later releases
• NetScaler ADC 12.1-NDcPP: 12.1-55.297 and later releases
Important Note: NetScaler ADC and NetScaler Gateway version 12.1 have reached End Of Life (EOL) status and are vulnerable. Users still on this version are strongly advised to upgrade immediately to a supported version to mitigate potential security risks.
For more detailed information and specific instructions regarding the vulnerabilities and updates, we encourage you to refer to the official Citrix Advisory through the following link: Citrix ADC and Citrix Gateway Security Bulletin.
Prompt action is crucial in addressing these critical vulnerabilities to ensure the security and stability of your organization’s systems and data. By remaining vigilant and keeping your infrastructure up-to-date, you can effectively safeguard against potential cyber threats.
The NCSC and the Department of ICT are dedicated to promoting a secure digital environment, and we encourage all stakeholders to adhere to the recommended actions for enhanced cybersecurity resilience.
For any further assistance or inquiries, please reach out to the National Cyber Security Center (NCSC). Together, let us prioritize cybersecurity and protect Papua New Guinea’s digital landscape.