www.belgium.be Logo of the federal government

WARNING: 2 NEW ACTIVELY EXPLOITED VULNERABILITIES AFFECT CITRIX NETSCALER ADC AND GATEWAY

Reference: 
Advisory #2024-07
Version: 
1.1
Affected software: 
NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
NetScaler ADC 13.1-FIPS before 13.1-37.176
NetScaler ADC 12.1-FIPS before 12.1-55.302
NetScaler ADC 12.1-NDcPP before 12.1-55.302
Type: 
Authenticated Remote Code Execution and Denial of Service
CVE/CVSS: 
CVE-2023-6548 :CVSS 5.5(CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVE-2023-6549 :CVSS 8.2(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)

Sources

Citrix: https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549

Risks

Citrix has released security updates to address two vulnerabilities, that are affecting Citrix Netscaler ADC and Citrix Netscaler Gateway. The vulnerabilities are observed being exploited in attacks against organisations.

Additionally, both vulnerabilities are of low attack complexity and do not require privileges or user interaction.

Description

CVE-2023-6548: Remote code execution vulnerability

Unauthenticated attackers can exploit this vulnerability if they have access to the appliance’s management interface and are able to access NetScaler IP (NSIP), Subnet IP (SNIP), or cluster management IP (CLIP).
NetScaler IP (NSIP) is the address used to access the machine for management purposes. Subnet IP (SNIP) is used for server side connections and will be used to route traffic that is destined for the VIP.

Successful exploitation of this vulnerability leads to remote code execution.

Update 2024-07-18: It was discovered that this vulnerability can be exploited without privileges. The description has changed to reflect the increased severity of this vulnerability.

CVE-2023-6549: Denial of service vulnerability

For attackers to exploit this vulnerability, the appliance must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

 

References