Hundreds of Citrix NetScaler ADC and Gateway servers have been breached by destructive actors to deploy web shells, in accordance to the Shadowserver Foundation.
The non-gain mentioned the attacks take gain of CVE-2023-3519, a critical code injection vulnerability that could direct to unauthenticated distant code execution.
The flaw, patched by Citrix previous thirty day period, carries a CVSS score of 9.8.
The major range of impacted IP addresses are based mostly in Germany, followed by France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil.
The exploitation of CVE-2023-3519 to deploy web shells was beforehand disclosed by the U.S. Cybersecurity and Infrastructure Security Company (CISA), which claimed the attack was directed versus an unnamed critical infrastructure corporation in June 2023.
The disclosure arrives as GreyNoise mentioned it detected a few IP addresses making an attempt to exploit CVE-2023-24489 (CVSS score: 9.1), a further critical flaw in Citrix ShareFile application that makes it possible for for unauthenticated arbitrary file upload and remote code execution.
The issue has been tackled in ShareFile storage zones controller model 5.11.24 and later on.
Attack surface management business Assetnote, which found and claimed the bug, traced it to a more simple model of a padding oracle attack.
“[Cipher Block Chaining] method and PKCS#7 padding are the default values for AES encryption in .NET,” security researcher Dylan Pindur claimed.
“Search at how it behaves when invalid versus legitimate padding is furnished. Does it end result in an mistake? Are the problems distinctive? Does it take longer or shorter to system? All of these can guide to a probable padding oracle attack.”
Found this posting exciting? Comply with us on Twitter and LinkedIn to examine a lot more special information we post.
Some parts of this article are sourced from:
thehackernews.com