Critical Citrix Vulnerabilities Expose Sensitive Data, Cause DoS

CVE-2023-4966

A critical vulnerability in Citrix’s NetScaler ADC and NetScaler Gateway devices could lead to the exposure of sensitive data, according to a security bulletin released by the company.

The vulnerability, designated as CVE-2023-4966, has been assigned a CVSS score of 9.4, indicating its high severity. The flaw can be exploited remotely, without the need for high-level privileges, user interaction, or complex procedures. However, the vulnerability only affects appliances that are configured as a Gateway or an AAA virtual server.

The exact nature of the ‘sensitive information’ that could be exposed due to this flaw has not been detailed by the vendor. However, it is likely that attackers could exploit the vulnerability to gain access to confidential data such as customer information, login credentials, and financial records.

In addition to CVE-2023-4966, another vulnerability, CVE-2023-4967, was disclosed, which also requires the same prerequisites for exploitation. This high-severity flaw, with a CVSS score of 8.2, could potentially cause a Denial of Service (DoS) on vulnerable devices.

A DoS attack is a type of cyberattack that aims to make a computer or network unavailable to its intended users. DoS attacks can be carried out in a variety of ways, but they typically involve flooding the target with traffic or sending it packets that are designed to cause it to crash.

Affected Versions

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Mitigation

Citrix strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible:

  • NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Citrix has advised users of the affected versions of NetScaler ADC and NetScaler Gateway to upgrade to a fixed version that includes security updates addressing these flaws. No mitigation strategies or workarounds have been suggested by Citrix at this time.