Citrix has urged customers of NetScaler ADC and NetScaler Gateway to install updated versions of the networking products to prevent active exploitation of vulnerabilities that could lead to information disclosure and DoS attacks.
NetScaler ADC (Application Delivery Controller) and NetScaler Gateway were designed to enhance the performance, security, and availability of applications and services within networks. Citrix first announced the product vulnerabilities — designated CVE-2023-4966 and CVE-2023-4967 — on October 10, describing them as “unauthenticated buffer-related” bugs.
CVE-2023-4966, a high-severity, critical information disclosure vulnerability, has been assigned a 9.4 CVSS score. AssetNote, a cybersecurity company specialized in identifying and managing security risks in web applications and online assets, published a proof of concept (POC) exploit for the vulnerability, called Citrix Bleed, on GitHub. The company is also offering tests for customers to check on their exposure to the vulnerability.
In an advisory, Citrix said that “exploits of CVE-2023-4966 on unmitigated appliances have been observed. Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible.”
Active exploits for CVE-2023-4967, which would allow attackers to launch DoS attacks, have not been as widely observed. It has been assigned a 8.2 CVSS score.
Citrix recommends immediate patching
In the most recent update on the vulnerabilities, Citrix has recommended installing updated versions of the affected devices. Multiple versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities, and are listed by Citrix in its latest security bulletin.
“NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL),” added Citrix in the bulletin. “Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.”
Technical details on CVE-2023-4966 have been offered by AssetNote. The cybersecurity firm performed patch-diffing, a differential analysis that compares patched and unpatched versions of a product, on NetScaler versions 13.1-49.15 (patched) and 13.1-48.47 (unpatched), to determine the vulnerable functions.
The diffing process involved looking into the /NetScaler/nsppe binary. “This is the NetScaler Packet Processing Engine and it contains a full TCP/IP network stack as well as multiple HTTP services,” said AssetNote in a blog post. “If there is a vulnerability in NetScaler, this is where we look first.”
AssetNote discovered two vulnerable functions: ns_aaa_oauth_send_openid_config, and ns_aaa_oauthrp_send_openid_config. Patches for these functions, which allow unauthenticated access, were accomplished with the same logic.
Apart from updating to the fixed versions, Citrix recommends killing all active and persistent sessions through a string of commands including: kill icaconnection -all; kill rdp connection -all; kill pcoipConnection -all; kill aaa session -all; and clear lb persistentSessions.
However, it also noted that “Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.”