Citrix NetScaler ADC and NetScaler Gateway have fallen prey to a high-severity vulnerability, which paves the way for the exposure of sensitive data stored on compromised devices. This vulnerability is identified as CVE-2023-4966, and it has garnered a formidable CVSS rating of 9.4. What makes this situation even more concerning is that it can be exploited remotely without the need for elevated privileges, user interaction, or intricate manoeuvres.
Vulnerability to attacks hinges on the precondition that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server.
Although the exploitation can lead to sensitive information being disclosed, Citrix have not provided any details about the specific information that has been exposed.
A second vulnerability detailed in the identical bulletin is CVE-2023-4967, another high-severity (CVSS score: 8.2) weakness with identical prerequisites. This flaw has the potential to lead to denial of service (DoS) incidents on susceptible devices.
The impacted versions of Citrix products include:
NetScaler ADC and NetScaler Gateway 14.1 versions before 14.1-8.50
NetScaler ADC and NetScaler Gateway 13.1 versions before 13.1-49.15
NetScaler ADC and NetScaler Gateway 13.0 versions before 13.0-92.19
NetScaler ADC 13.1-FIPS versions before 13.1-37.164
NetScaler ADC 12.1-FIPS versions before 12.1-55.300
NetScaler ADC 12.1-NDcPP versions before 12.1-55.300
The recommended course of action is to promptly upgrade to patched versions that include security updates to address both vulnerabilities. Citrix has not provided any mitigation steps or workarounds this time.
Citrix's security bulletin strongly advises affected customers of NetScaler ADC and NetScaler Gateway to install the corresponding updated versions as soon as possible. The versions to target for the upgrade are:
NetScaler ADC and NetScaler Gateway 14.1-8.50 and subsequent versions
NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
It’s important to note that version 12.1 has reached its end of life (EOL) date and will no longer receive support from Citrix. Users are now strongly encouraged to upgrade to a more current, actively supported release.
The attractiveness of critical-severity vulnerabilities in Citrix products to malicious actors is amplified, given that large organisations with valuable assets rely on these devices.
A recent instance of such misuse involves CVE-2023-3519, a severe remote code execution vulnerability that Citrix swiftly addressed as a zero-day in July 2023.
This vulnerability is actively being exploited by multiple cyber criminals who are utilising the accessible exploits to implant backdoors and pilfer credentials.
