A zero-day vulnerability capable of executing arbitrary code is discovered in Citrix's NetScaler products and Adobe ColdFusion

Citrix, a technology company, has found a serious zero-day vulnerability that has already been exploited in ``NetScaler ADC'' and ``NetScaler Gateway'', which are appliance products for building networks, and will promptly update the version. I warned you.

Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467
https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Citrix Releases Security Updates for NetScaler ADC and Gateway | CISA
https://www.cisa.gov/news-events/alerts/2023/07/18/citrix-releases-security-updates-netscaler-adc-and-gateway

New critical Citrix ADC and Gateway flaw exploited as zero-day
https://www.bleepingcomputer.com/news/security/new-critical-citrix-adc-and-gateway-flaw-exploited-as-zero-day/

The reported vulnerabilities are ` ` CVE-2023-3519 '' `` CVE-2023-3466 '' ` ` CVE-2023-3467 ''. CVE-2023-3519 is a vulnerability that allows remote code execution without authentication, CVE-2023-3466 is a cross-site scripting (XSS) vulnerability, CVE-2023-3467 is a vulnerability that can escalate to root administrator privileges That's what I'm talking about. Of these, CVE-2023-3519 has a severity rating of 9.8 out of 10, and it seems that examples of its exploitation have already been confirmed.

The target versions are as follows. Citrix states that version 12.1 has reached its end of life and should be upgraded to a newer version.

・NetScaler ADC and NetScaler Gateway version 13.1-49.13 or later
・NetScaler ADC and NetScaler Gateway versions 13.0-91.13 and 13.0 or later
・NetScaler ADC 13.1-FIPS version 13.1-37.159 or later
・NetScaler ADC 12.1-FIPS version 12.1-65.36 or later
・NetScaler ADC 12.1-NDcPP version 12.1-65.36 or later

According to Bleeping Computer, a security-related news site, in early July 2023, someone wrote on a forum for hackers that ``Citrix ADC version 13.1 build 48.47 and up had a zero-day vulnerability that allowed remote code execution.'' So, Citrix said that it was working on creating a correction patch before publishing the problem triggered by this writing. Citrix strongly recommends updating to a fixed version that addresses the zero-day vulnerability in question.

In December 2022, Citrix ADC and Citrix Gateway were confirmed to have vulnerabilities that could allow remote execution of arbitrary code, and we called for an immediate update.

Vulnerability of Citrix ADC and Citrix Gateway (CVE-2022-27518) | Information Security | IPA Information-technology Promotion Agency, Japan
https://www.ipa.go.jp/security/security-alert/2022/alert20221214.html

In addition, security company Rapid 7 reports that a vulnerability ' CVE-2023-38203 ' was discovered in ColdFusion , Adobe's development framework.

Active Exploitation of Multiple Adobe ColdFusion Vulnerabilities | Rapid7 Blog
https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/

In July 2023, Adobe ColdFusion discovered a security function bypass vulnerability ' CVE-2023-29298 ' and a vulnerability ' CVE-2023-29300 ' that allowed arbitrary code execution, and released a patch. It was just The CVE-2023-38203 discovered this time is a vulnerability similar to CVE-2023-29300, and a new patch was distributed just three days after the distribution of the previous patch.

The versions vulnerable to both CVE-2023-29298 and CVE-2023-38203 are as follows. However, according to Rapid 7, although the latest version at the time of writing has fixed CVE-38203, it is still vulnerable to CVE-2023-29298.

・Adobe ColdFusion 2023 Update 1
・Adobe ColdFusion 2021 Update 7 or later
・Adobe ColdFusion 2018 Update 17 or later