Hunting for potentially vulnerable Citrix servers with Shodan — CVE-2023–3519
Background
Just thought I’d share some tips of using Shodan to find potentially vulnerable kit. You may have seen the recent news/noise across Twitter/Feedly, if you haven’t, get out from under your rock!!1 🤘
Shodan Hunting
Citrix Netscaler is a suite of products from Citrix and are notorious for having severe vulns that allow initial access for IAB’s and ransomware groups. I was concerned with:
- Who could be vulnerable to this?
- More importantly, which organisations?
Using Shodan, we can definitely tell who has Citrix ADC, Gateway, AAA, VPN. To produce reliable results, I searched based on the known Favicon hashes of Citrix Netscaler:
- -1292923998
- -1166125415
Thanks to Dan Card for these: https://twitter.com/UK_Daniel_Card
http.favicon.hash:-1292923998,-1166125415
The above filter returns a whopping 60k results worldwide!!1
GB returned circa 3k results.
Other Interesting Shodan Methods — JA3
You can, use the JA3 hash to search for client applications. This is a solid method if:
- General metadata/headers of the application/service you’re looking for doesn’t expose any data you can filter on.
- The favicon isn’t always the same, but the application is.
How does JA3 work?!
To initiate a TLS session, a client will send a TLS Client Hello packet following the TCP 3-way handshake. This packet and the way in which it is generated is dependent on packages and methods used when building the client application. The server, if accepting TLS connections, will respond with a TLS Server Hello packet that is formulated based on server-side libraries and configurations as well as details in the Client Hello. Because TLS negotiations are transmitted in the clear, it’s possible to fingerprint and identify client applications using the details in the TLS Client Hello packet.
The JA3 hash works by taking the Client Hello packet and hashing the decimal values of the following fields:
- Version
- Cipher Suites
- Extensions Length
- Extension: ellipitic_curves
- Extension: ec_point_formats
Hashing those decimal values, will give you a very reliable checksum that can be used to find similar applications. Shodan collects JA3’s and is available in the “Raw Data” tab:
Ref: https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/
JA3’s might change based on the version of the app, which could make your search more reliable if you’re looking for a specific version.
Other Interesting Shodan Methods — HTTP Data Hash
You caaaan also use the hash of the HTTP data, this is a function performed by Shodan whereby it hashes the HTTP data (NOT the headers), again, as a result, making it a very reliable source:
Confirming your findings
I highly recommend the script shared by @DTCERT which is able to give you an indication if your server(s) are vulnerable: https://github.com/telekom-security/cve-2023-3519-citrix-scanner
References
https://help.shodan.io/mastery/property-hashes
https://engineering.salesforce.com/tls-fingerprinting-with-ja3-and-ja3s-247362855967/
https://github.com/telekom-security/cve-2023-3519-citrix-scanner
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a