Jump to content
Welcome to our new Citrix community!

What are the signs of CVE-2023-3519 being exploited?


FUNDY MUTUAL

Recommended Posts

It's all fine and dandy that an advisory and patch was published for CVE-2023-3519, but what are the signs we should be searching for that one of our devices was being actively exploited?  This does not appear to be documented anywhere...  Seems to me that this is a pretty important detail that is missing from the advisories!

Link to comment
Share on other sites

16 hours ago, FUNDY MUTUAL said:

It's all fine and dandy that an advisory and patch was published for CVE-2023-3519, but what are the signs we should be searching for that one of our devices was being actively exploited?  This does not appear to be documented anywhere...  Seems to me that this is a pretty important detail that is missing from the advisories!

I found this tweet with some possible commands to check.  Don't know if this person knows what they are doing or not.  Seemed legit.  What do you all think?

https://twitter.com/malkoegler/status/1681636739406782464?s=20

 

Link to comment
Share on other sites

So I just had a look at that... First there are a few errors in it where the lines are run together.  That's a simple fix. 

 

The issue I see with it though is that the 4 x find commands appears to return all the files that were updated by the patch (time stamped on my machine as 2023-07-10 15:32 (I don't know if is taking into account time zone info), so that makes it semi-useless.  I guess if you ran this prior to installing build-13.1-49.13_nc_64.tgz, then you'd get useful output.  But I've already applied the update to all 20 of the Netscalers I manage.

 

That said, here is what @Malkoegler posted in the screenshot there.

 

shell

ls -ll /var/nsinstall
find /netscaler/ns_gui/ -type f -name *.php -newermt 20230501 -exec ls -l {} \;
find /var/vpn/ -type f -newermt 20230501 -exec ls -l {} \;
find /var/netscaler/logon/ -type f -newermt 20230501 -exec ls -l {} \;
find /var/python/ -type f -newermt 20230501 -exec ls -l {} \;

grep '\.sh' /var/log/httperror.log*
grep '\.php' /var/log/httperror.log*
grep '/flash/nsconfig/keys' /var/log/sh.log*

find /var -perm -4000 -user root -not -path "/var/nslog/*" -newermt 20230501 -exec ls -l {} \;

 

dcc

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...