Citrix has issued an urgent security bulletin concerning multiple critical vulnerabilities in NetScaler ADC and NetScaler Gateway. If you are using affected versions of these products, immediate action is imperative to safeguard your network and data.
The Vulnerabilities at a Glance
Two critical vulnerabilities have been identified:
- CVE-2023-4966: Sensitive Information Disclosure
- Severity: CVSS score of 9.4
- Configuration: The appliance must be configured as a Gateway or an AAA virtual server.
- CVE-2023-4967: Denial of Service
- Severity: CVSS score of 8.2
- Configuration: Similar to CVE-2023-4966, the appliance must be configured as a Gateway or an AAA virtual server.
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
Note: Version 12.1 is now End-of-Life (EOL) and is vulnerable.
Understanding the Risks
Both vulnerabilities are buffer-related and could be exploited without authentication. CVE-2023-4966 allows unauthorized data disclosure and possibly session hijacking, while CVE-2023-4967 can cause a denial of service.
The exploit doesn’t require sophisticated skills, but the impact is highly concerning. The Cybersecurity and Infrastructure Security Agency (CISA) has already added an entry for CVE-2023-49661 to its Known Exploited and Vulnerabilities Catalog.
It’s crucial to act now. If you’re using any of the affected builds listed, update immediately by installing the recommended builds2. Additionally, terminate all active and persistent sessions using the following commands3:
kill icaconnection -all kill rdp connection -all kill pcoipConnection -all kill aaa session -all clear lb persistentSessions
Note: Ensure the formatting remains intact when you copy and paste these commands.
For NetScaler ADC or NetScaler Gateway instances on SDX hardware, you will need to upgrade VPX instances; the underlying SDX hardware is not affected.
No Room for Complacency
There are no workarounds or mitigations available beyond upgrading to a build that addresses these vulnerabilities. Reports have confirmed incidents consistent with session hijacking4 and targeted attacks exploiting CVE-2023-4966. If you’re delaying updates, you’re risking unauthorized data disclosure and potentially session hijacking.
These vulnerabilities are not to be taken lightly. NetScaler ADC and NetScaler Gateway are integral components in many network architectures. Failure to address these vulnerabilities promptly could have severe repercussions, including data breaches and service disruptions.
Don’t wait. Update now and ensure you’re protected against these severe vulnerabilities.
- https://www.bleepingcomputer.com/news/security/citrix-warns-admins-to-patch-netscaler-cve-2023-4966-bug-immediately/ ↩︎
- https://docs.netscaler.com/en-us/citrix-adc-secure-deployment.html ↩︎
- https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/ ↩︎
- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966 ↩︎