When upgrading NetScaler getting error -bash: ./installns: /usr/bin/perl: bad interpreter

The Cloud Software Group has confirmed that several of its products, including NetScaler ADC and NetScaler Gateway, are impacted.

Citrix warns that patching new vulnerabilities on NetScaler appliances could result in broken login pages. The culprit? A Content Security Policy (CSP) header now enabled by default. While designed to block unauthorized scripts, it might inadvertently restrict legitimate ones, complicating life for admins. Proceed with caution, and maybe a prayer.

Citrix warns that patching recently disclosed vulnerabilities that can be exploited to bypass authentication and launch denial-of-service attacks may also break login pages on NetScaler ADC and Gatewa...

No description available.

The U.S. CISA adds Citrix NetScaler ADC and Gateway flaw, dubbed CitrixBleed 2, to its Known Exploited Vulnerabilities catalog. This vulnerability, a sequel with a CVSS score of 9.3, lets attackers swipe session cookies. It's like the 2023 exploit, but back with more drama than a reality TV reunion.

Migrate from AppFlow Policies to Analytics Profiles to get HDX and Gateway Insight to work again with NetScaler Console.

Die Schwachstelle in Citrix-Netscaler lässt die CISA aktiv werden. US-Behörden müssen sofort handeln.

Threat researchers warn the flaw could open up a flood of attacks that rival the 2023 CitrixBleed crisis.

Explore the critical CVE-2025-7775 vulnerability in Citrix NetScaler and learn how to mitigate this severe security threat.

: LLMs and 0-days - what could possibly go wrong?

LLMs and 0-days - what could possibly go wrong? Attackers on underground forums claimed they were using HexStrike AI, an open-source red-teaming tool, against Citrix NetScaler vulnerabilities within hours of disclosure, according to Check Point cybersecurity evangelist Amit Weigman.…

<p>The Cybersecurity and Infrastructure Security Agency (CISA) recently released a security advisory that indicates that threat actors have been exploiting a <a href="https://gbhackers.com/zero-day-vulnerability-citrix-netscaler/">Zero-day vulnerability in Citrix</a> ADC (Application Delivery Controller) and NetScaler Gateways. </p> <p>A vulnerability was discovered that enabled the placement of a webshell on a non-production environment of a critical infrastructure organization. This was reported to CISA and Citrix Systems.</p> <p>Threat actors exploited an unauthenticated, remote code execution vulnerability to drop these webshells on the environment and also attempted to laterally move to the domain controller. However, it was blocked due to network-segmentation controls.</p> <h2><strong><a href="https://gbhackers.com/citrix-secure-access-flaw/">CVE-2023-3519</a>: Code Injection Vulnerability</strong></h2> <p>This vulnerability can be exploited by a threat actor if the appliance is configured as a Gateway (VPN Virtual Server, RDP proxy etc.,) or Authentication, Authorization and Auditing (AAA) Server. The CVSS Score for this vulnerability is given as 9.8 (<strong>Critical</strong>).</p> <p>Citrix systems has <a href="https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467">released patches</a> for fixing this vulnerability. </p> <h2><strong>Affected Products</strong></h2> <ul> <li>NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 </li> <li>NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13</li> <li>NetScaler ADC and NetScaler Gateway version 12.1, now end of life</li> <li>NetScaler ADC 13.1-FIPS before 13.1-37.159</li> <li>NetScaler ADC 12.1-FIPS before 12.1-65.36</li> <li>NetScaler ADC 12.1-NDcPP before 12.65.36</li> </ul> <h2><strong>Technical Analysis</strong></h2> <p>Threat actors uploaded a malicious TGZ file on the ADC appliance, which consisted of setuid binary, generic webshell and discovery script for conducting an SMB scan on the ADC. Furthermore, AD enumeration and data exfiltration were performed with the webshell. Additional activities performed by the threat actors include,</p> <ul> <li>Viewing of NetScaler Configuration file (Contains encrypted passwords)</li> <li>Viewing NetScaler Decryption Keys (Used for decrypting extracted passwords from Config file)</li> <li>Conducting LDAP search via decrypted AD credentials and extracted data like Users, Computers, Groups, Subnets, Organisational Units, Contacts, Partitions, and Trusts </li> </ul> <div> <blockquote><p lang="en" dir="ltr"><a href="https://twitter.com/hashtag/Citrix?src=hash&amp;ref_src=twsrc%5Etfw">#Citrix</a> <a href="https://twitter.com/hashtag/Vulnerability?src=hash&amp;ref_src=twsrc%5Etfw">#Vulnerability</a><br><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f6a8.png" alt="🚨">We have developed a simple scan script for CVE-2023-3519. It looks for HTTP header "Last Modified" <img src="https://s.w.org/images/core/emoji/14.0.0/72x72/23f2.png" alt="⏲">timestamps from known patched systems that we have collected as they are always the same. It may not work with reverse proxies or heavily modified pages. <a href="https://t.co/Jcvj7L2LSl">pic.twitter.com/Jcvj7L2LSl</a></p>— Deutsche Telekom CERT (@DTCERT) <a href="https://twitter.com/DTCERT/status/1682032701430452233?ref_src=twsrc%5Etfw">July 20, 2023</a></blockquote> </div> <div> <blockquote><p lang="en" dir="ltr">Now sharing info on likely CVE-2023-3519 vulnerable Citrix ADC/Gateway instances in our Vulnerable HTTP report: <a href="https://t.co/qxv0Gv6cAK">https://t.co/qxv0Gv6cAK</a><br><br>At least 11170 unique IPs found, most in the US (4.1K).<br><br>Make sure to patch: <a href="https://t.co/EHskF4kLdt">https://t.co/EHskF4kLdt</a><br><br>Dashboard stats: <a href="https://t.co/zbdpCDDaOF">https://t.co/zbdpCDDaOF</a> <a href="https://t.co/bJs1e32dIX">pic.twitter.com/bJs1e32dIX</a></p>— Shadowserver (@Shadowserver) <a href="https://twitter.com/Shadowserver/status/1682022404825182214?ref_src=twsrc%5Etfw">July 20, 2023</a></blockquote> </div> <p>Other queries by the threat actors were unsuccessful as the organization implemented a segmented environment for the ADC appliance. The exfiltration queries that failed are as follows</p> <ul> <li>Execution of subnet-wide curl command for scanning internal network as well as checking for potential lateral movement targets</li> <li>Outbound network connectivity with a ping command to google.com</li> <li>Subnet-wide host commands for DNS lookup </li> </ul> <p>Nevertheless, the threat actors also deleted the authorization config file <em>/etc/auth.conf</em> to prevent privileged users from logging in remotely. If an attempt by the organization was made to regain access to the server by rebooting into single user mode, it would delete the threat actors’ artifacts.</p> <p>CISA has released a <a href="https://www.cisa.gov/sites/default/files/2023-07/aa23-201a_csa_threat_actors_exploiting_citrix-cve-2023-3519_to_implant_webshells.pdf">complete report</a> about the MITRE ATT&amp;CK framework, detection methods, mitigation and prevention steps. It is recommended for organizations to follow them and mitigate these kinds of breaches by threat actors.</p> <p>The post <a href="https://cybersecuritynews.com/citrix-netscaler-hackers-webshells/">Hackers Exploiting Critical Citrix NetScaler Zero-day Flaw To Deploy Webshells</a> appeared first on <a href="https://cybersecuritynews.com">Cyber Security News</a>.</p>