Citrix has released patches to address two vulnerabilities (CVE-2023-4966 & CVE-2023-4967) in NetScaler ADC and Gateway.
CVE-2023-4966 has been rated as critical, with a CVSS score of 9.4. Successful exploitation of the vulnerability may lead to information disclosure.
CVE-2023-4967 has a high severity rating and a CVSS score of 8.2. Successful exploitation of the vulnerability may allow an attacker to create a denial of service state on vulnerable devices.
CISA has added the CVE-2023-4966 to its Known Exploited Vulnerabilities Catalog, acknowledging its active exploitation. CISA has recommended users to patch the vulnerability before November 8, 2023.
In a recent update, the vulnerability has been given the name “CitrixBleed,” and mass exploitation has been observed.
NteScaler ADC is an application delivery solution for both on-premises and cloud. Application delivery controllers are networking devices explicitly designed to enhance the performance, security, and resilience of the delivery of applications.
NetScaler Gateway unifies remote access infrastructure to offer single sign-on for all applications, whether hosted in a data center, the cloud, or provided as SaaS.
Prerequisites
The appliance must be configured as a
- Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy)
OR
- AAA virtual server
Affected Versions
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
Note: NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL) and are vulnerable.
Mitigation
Customers are advised to upgrade to the following versions to mitigate the vulnerabilities:
- NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
- NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
Note: NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL). Customers must upgrade to one of the supported versions that address the vulnerabilities.
Please refer to the Citrix Security Bulletin (CTX579459) for more information.
Qualys Detection
Qualys customers can scan their devices with QID 378935 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.