Indicator of Compromise Scanner for CVE-2023-3519

This repository contains a utility for detecting compromises of Citrix ADC Appliances related to CVE-2023-3519. The utility, and its resources, encode indicators of compromise collected during Mandiant investigations. To learn more, please read the blog announcing this tool's release.

In summary the utility will:

• do a best effort job at identifying existing compromise.

It will not:

• identify a compromise 100% of the time, or
• tell you if a device is vulnerable to exploitation.

With community feedback, the tool may become more thorough in its detection. Please open an issue, or submit a PR, if you have problems, ideas, or feedback.

Download the standalone tool from the Releases tab of this repository. Do not clone this repository to a netscaler or copy source files to the netscaler - this will result in false positives.

Features

This scanner can identify:

• file system paths of known malware
• post-exploitation activity in shell history
• known malicious terms in NetScaler directories
• unexpected modification of NetScaler directories
• unexpected crontab entries
• unexpected processes

Details

The Indicator of Compromise (IoC) Scanner for CVE-2023-3519 was developed by Mandiant in collaboration with Citrix based on knowledge gleaned from incident response engagements related to exploitation of CVE-2023-3519. The goal of the scanner is to analyze available log sources and system forensic artifacts to identify evidence of successful exploitation of CVE-2023-3519. There are limitations in what the tool will be able to accomplish, and therefore, executing the tool should not be considered a guarantee that a system is free of compromise. For example, log files on the system with evidence of compromise may have truncated/rolled, the system may have been rebooted, an attacker may have tampered with the system to remove evidence of compromise, and/or installed a rootkit that masks evidence of compromise, etc.

This tool is not guaranteed to find all evidence of compromise, or all evidence of compromise related to CVE-2023-3519. If indications of compromise are identified on systems, organizations should perform a forensic examination of the compromised system to determine the scope and extent of the incident. This software is provided as-is, without warranty or representation for any use or purpose.

Usage

You should download the standalone Bash script from the Releases tab of this repository. Copying the source directory to a Citrix ADC Appliance is not recommended. Doing so will generate false positives.

The IoC Scanner can be run directly on a Citrix ADC Appliance. In this mode, the tool will scan files, processes, and ports for known indicators. The tool writes diagnostic messages to the STDERR stream and results to the STDOUT stream. In typical usage, you should redirect STDOUT to a file for review. The tool must be run as root in live mode on a Citrix ADC Appliance. To access root sign in to the CLI as nsroot and then run shell from the CLI.

For example:

$ bash ./scanner-CVE-2023-3519-v1.2.sh > "/tmp/results-$(date).txt"

The tool is designed to be used with the following products:

• Citrix ADC and Citrix Gateway version 13.1
• Citrix ADC and Citrix Gateway version 13.0
• Citrix ADC and Citrix Gateway version 12.1
• Citrix ADC and Citrix Gateway version 12.0

The IoC Scanner can also inspect a mounted forensic image. In this scenario, pass a command line argument specifying the path to the image root directory. Note: The path you pass for forensic image scanning should be the logical root / of the image. The tool uses relative filepaths in some cases and you may receive false-postives or false-negatives if the image is not properly mounted. You don't have to be root to run in offline mode.

For example:

$ bash ./scanner-CVE-2023-3519-v1.1.sh /mnt/path/to/evidence/root/

In both modes, the tool will extract supporting code into a temporary directory; this directory will be deleted upon termination of the script. The tool does not make further changes to the system, although it may cause log entries to be generated.

Like all forensic analysis, prefer offline analysis against a dd image to live response. This will eliminate the likelihood that the tool causes relevant evidence to be overwritten.

Interpreting Results

The results of the script are broken down into three main sections.

1. System overview
2. Log status
3. Results (if any)

The system summary will output basic information on the appliance (if run in live mode) and a yes/no if any evidence of compromise has been detected.

**********************************************************************
SUMMARY:
Date                                  : Sat Aug 12 22:46:26 UTC 2023
Hostname                              : 
IP                                    : 192.168.122.2
NS version                            : 13.1-48.47
Scanner version                       : 
Scanner run mode                      : Default
Evidence of compromise found          : Yes
Evidence of scanning found            : N/A - Script Executed in Default Mode
Evidence of failed exploitation found : N/A - Script Executed in Default Mode
**********************************************************************

The next section will output details on the log files that have been scanned, including the first and last entry of each log file. This is helpful as an investigator so you can determine what time period the scanner was able to look at logs for and to explain any missing results.

The final section will detail what evidence of compromise was identified, if any. For example, denylisted content matched in files is shown below.

**********************************************************************
MATCH: denylisted content 'blv_encode'
Found evidence of potential compromise.                               
You should consider performing a forensic investigation of the system.
**********************************************************************
matches for 'blv_encode':
/root/six.mal_

Contributing

As you invent further ways to identify compromise, please consider contributing to this IoC Scanner. We would like to provide the most thorough, correct scanner as possible.

The primary goal is to report high confidence indicators of compromise. Because users may rely on the output of this tool to initiate further investigation, it's important that we don't send them on a wild goose chase. Therefore, activity such as simple scanning should not be reported in the default mode. Any evidence of an actor gaining access to the system, fetching information, or creating content should always be reported.

Design

We provide this tool as a Bash script because it's a common denominator across Citrix ADC Appliances. Here's the feature matrix for Citrix ADC releases:

NetScaler Version	OS	Languages available
13.1	FreeBSD 8.4	Bash, Perl, Python
13.0	FreeBSD 8.4	Bash, Perl, Python
12.1	FreeBSD 8.4	Bash, Perl, Python
12.0	FreeBSD 8.4	Bash, Perl, Python

Building

Once you've checked out the source repository, you can build a standalone script using the ./build.sh tool. This packages the primary script and supporting resources into a single bundle. Upon execution, it will extract to a temporary directory, execute from there, and then clean up. Do not build the script on a netscaler. Doing so will result in false positives.

To build:

$ bash ./build.sh > ioc-scanner-CVE-2023-3519-rev$(git rev-parse HEAD | cut -c 1-8).sh

Further Reading

For additional information from Mandiant regarding CVE-2023-3519 and in-the-wild exploitation, please see:

• Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519) - published on July 21, 2023
• Technical Summary of Observed Citrix CVE-2023-3519 Incidents - published on August 7, 2023