Citrix NetScaler Zero-Day: How to Mitigate Risk from Impacted Vendors

Use this free questionnaire to understand the impact of the Citrix remote code execution bug on your vendors, and follow our three best practices to mitigate your risk.
By:
Scott Lang
,
VP, Product Marketing
July 25, 2023
Share:
Blog nscaler zero day vuln 0723

About the NetScaler Zero-Day Vulnerability

Citrix Systems has announced that, as a result of a zero-day remote code execution (RCE) bug, approximately 15,000 NetScaler ADC and Gateway servers are vulnerable to cyber-attacks. Vulnerable appliances must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an authentication virtual server to be vulnerable to attacks.

Threat actors began advertising the Citrix ADC zero-day flaw the first week of July on a hacker forum. Citrix released security updates to address this RCE vulnerability on July 18, 2023, urging customers to install the patches as soon as possible. Since the announcement, several organizations, including the U.S. Cybersecurity & Infrastructure Security Agency (CISA), have recommended that companies take immediate steps to remediate this vulnerability.

In this post, we recommend five questions to ask your third-party vendors to determine their usage of NetScaler and understand their response to any related security incidents. We also share three best practices to better automate your organization’s third-party incident response.

5 Questions to Ask Vendors and Suppliers About the NetScaler Vulnerability

Use this brief assessment to determine your third-party vendors’ (and therefore your organization’s) exposure to the NetScaler zero-day. You can then establish risk weighting by answer to score criticality of exposure and focus on the highest-risk vendors.

Questions Potential Responses

1) Does the organization utilize a customer-managed NetScaler ADC and NetScaler Gateway?

Help text: In mid-July, Citrix announced that a high-severity flaw had been discovered in their customer-managed NetScaler ADC and NetScaler Gateway. The vulnerability could lead to an unauthenticated, remote attacker to run arbitrary code on an affected device

Security updates to the vulnerability were released on July 18.

Please select one of the following:

a) Yes, the organization makes use of NetScaler ADC (Citrix ADC) and/or NetScaler Gateway.

b) No, the organization does not make use of NetScaler ADC (Citrix ADC) and/or NetScaler Gateway.

2) Has the organization been impacted by the Citrix code injection vulnerability?

Help text: Consideration should be given to where the impact has occurred, alongside the level of impact.

Please select one of the following:

a) There has been significant impact to our critical systems, applications or information.
Significant impact: The vulnerability has caused a loss of confidentiality or integrity of data.

b) There is a high level of impact to our critical systems, applications or information.
High impact: System availability has been periodically lost, and some loss of confidentiality or integrity of data.

c) There has been a low level of impact to our critical systems, applications or information.
Low impact: No loss of confidentiality or integrity of data; minimal or no disruption to system availability.

d) The cyber-attack has had no impact to our critical systems, applications or information.

3. Where NetScaler ADC or NetScaler Gateway is in use, has the organization taken the recommended steps from the solution provider (Citrix) to address the vulnerability?

Help text: Citrix has urged organizations to install the most updated versions of NetScaler ADC and NetScaler Gateway at the earliest opportunity.

The recommendations can be found on the Citrix support website.

Please select all that apply.

a) The organization has identified its operating with an impacted version of NetScaler ADC and/or NetScaler Gateway.

b) The latest patches and updates have been made to the NetScaler ADC and/or NetScaler Gateway.

4. Does the compromise affect critical services delivered to client?

Please select one of the following:

a) Yes

b) No

5. Who is designated as the point of contact who can answer additional queries?

Please state the key contact for managing information and cybersecurity incidents.

Name:

Title:

Email:

Phone:

3 Best Practices for Third-Party Vendor Security Incident Mitigation

Although it is not possible to eliminate all risk from every vendor relationship, your third-party risk management program can deliver the visibility and automation necessary to proactively find and mitigate the risks that can disrupt your business. Start with these three steps:

1. Identify vendors that could be using the impacted technology

Knowing which vendors use an impacted technology requires knowing who your vendors are in the first place – and that means building a centralized vendor inventory. You can’t accomplish this by using spreadsheets, or by delegating vendor management to line-of-business teams. It has to be done centrally in a system accessible by everyone involved in your vendor management initiatives. Your central system of record should allow imports of vendor profile data from any existing spreadsheets or via an API connection to your current procurement solution.

Once you have centralized all your vendors, use vendor questionnaires supported by passive scanning capabilities to help you identify fourth-party technology relationships. In this particular case, this exercise would reveal which vendors use NetScaler. Collecting information about fourth-party technologies deployed in your vendor ecosystem helps to identify organizations using the impacted technology, so you can prioritize which of your vendors require further assessments.

2. Issue event-specific risk assessments

Once you have identified vendors with the impacted technology deployed in their environments, engage them with simple, targeted assessments that align with known security standards and best practices such as NIST 800-161 and ISO 27036. Results from these assessments will help you target remediations necessary to close potential security gaps. Good assessment solutions will provide built-in recommendations to speed remediation and quickly close those gaps.

Start your event-specific assessment based on the five questions* we identified in the section above, weighting answers according to your organization’s risk tolerance:

* These are basic questions meant to expose some initial information. Your organization may choose to ask different or additional questions.

3. Continuously monitor impacted vendors

It’s important to be continuously vigilant; not only for risks stemming from the NetScaler zero-day, but also for those coming from the next attack. Start by monitoring the Internet and dark web using continuous cyber monitoring to reveal listings of stolen credentials for sale and other signals of an impending security incident.

Your monitoring efforts should cover criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases, and negative news. Dark web monitoring revealed this particular vulnerability on a hacker forum.

You can monitor multiple individual sources – or you can use a solution that unifies insights from multiple sources, centralizes all risk data, and makes it visible to key stakeholders. The latter approach enables you to correlate the results of continuous monitoring with risk assessment answers to validate whether vendors have controls in place or not.

9 Steps to a Third-Party Incident Response Plan

When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.

Read Now
White paper incident response 0421

Next Steps: Activate Your Third-Party Incident Response Program

If a cybersecurity incident occurred in your vendor ecosystem, would you be able to quickly understand its implications and activate an incident response plan? Time is of the essence in incident response, so being more proactive with a defined incident response plan will shorten the time to discover and mitigate potential vendor problems. A programmatic third-party incident response plan should include:

  • A centrally managed database of vendors and the technologies they rely on
  • Pre-built business resilience, continuity and security assessments to gauge the likelihood and impact of an incident
  • Scoring and weighting to help focus on the most important risks
  • Built-in recommendations to remediate potential vulnerabilities
  • Stakeholder-specific reporting to answer the inevitable board request

For more on how Prevalent can help your organization accelerate its discovery and mitigation of third-party risks, request a demo today.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo