Critical Citrix Vulnerabilities

Critical Citrix NetScaler ADC and NetScaler Gateway Vulnerabilities

Summary:

Recently, two critical security vulnerabilities were discovered, that affect Citrix NetScaler ADC and NetScaler Gateway products. The vulnerabilities, CVE-2023-4966 and CVE-2023-4967, cause sensitive information disclosure and denial of service to the affected devices. Exploits of CVE-2023-4966 on unmitigated appliances have been observed in the wild.

Description:

Citrix NetScaler is a product that provides application delivery and load balancing services.

CVE-2023-4966 and CVE-2023-4967 are two critical security vulnerabilities discovered in October 2023, that affect Citrix NetScaler ADC and NetScaler Gateway products as mentioned above.

CVE-2023-4966, allows attackers to access sensitive information on vulnerable devices. Specifically, when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server, it can lead to sensitive information disclosure. CVE-2023-4966 has a CVSS score of 9.4 out of 10.

CVE-2023-4967, allows the attacker to cause denial of service. Similarly to CVE-2023-4966, this happens when the appliance is configured as a Gateway or AAA virtual server. CVE-2023-4967 has a CVSS score of 8.2 out of 10.

Both of the vulnerability scores indicate high severity and impact.

Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing strong authentication requirements. This could result in further access based upon the permissions and scope of access that the session was permitted. A threat actor could utilize this method to gather additional credentials, laterally pivot, and gain access to additional resources within an environment.

Affected Versions:

The following versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
NetScaler ADC 13.1-FIPS before 13.1-37.164
NetScaler ADC 12.1-FIPS before 12.1-55.300
NetScaler ADC 12.1-NDcPP before 12.1-55.300

NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable.

Recommendations:

It is important that all users of the above products follow the recommendations to prevent exploitation:

All the affected product versions of NetScaler ADC and NetScaler Gateway should be updated to the below patched ones:

NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
NetScaler ADC and NetScaler Gateway  13.1-49.15 and later releases of 13.1
NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Customers using NetScaler ADC and NetScaler Gateway version 12.1 are recommended to upgrade their appliances to one of the above supported versions.

It is recommended to kill all active and persistent sessions.
If you are using NetScaler ADC or NetScaler Gateway instances on SDX hardware, you will need to upgrade VPX instances (the underlying SDX hardware, itself, is not affected).
Permanent fixes are available to download for NetScaler ADC and NetScaler Gateway.
The CISA tool can be used to scan a device for any webshells that may have been planted by attackers.

NetScaler ADC and NetScaler Gateway appliances that are not configured as a gateway or as an AAA virtual server and products such as NetScaler Application Delivery Management (ADM) and Citrix SD-WAN are not affected.