A critical vulnerability has been affecting a line of Citrix NetScaler appliances, allowing attackers to capture sensitive information from the devices’ memory, but is now fixed, according to a Bishop Fox research.
The vulnerability, which Citrix now appears to have silently addressed, was identified within Citrix NetScaler ADC and Gateway, affecting the devices running version 13.1-50.23.
“The vulnerability would enable an attacker to remotely obtain sensitive information from a NetScaler appliance configured as a Gateway or AAA virtual server via a very commonly connected Web interface, and without requiring authentication,” Bishop Fox said in a blog.
The affected Citrix NetScaler components are used for Authentication, Authorization, and Auditing (AAA), and remote access. The latest version of NetScaler is 14.1-21.15, released on April 23, 2024.
Similarity with Citrix Bleed vulnerability
The NetScaler products running the affected versions were vulnerable to an unauthenticated out-of-bounds memory read that could potentially allow an attacker to access (read) sensitive information from the appliance’s process memory, such as HTTP request bodies.
Although not as critical, the vulnerability is similar to Citrix Bleed (CVE-2023-4966), the zero-day from last year that affected the same devices and had massive exploitations in the wild.
Citrix Bleed was assigned a CVSS score of 9.4/10, making it a high-severity, critical information disclosure vulnerability. Much like this vulnerability, Citrix Bleed’s exploit was only possible in the instances where NetScaler ADC and Gateway devices were configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
This bug’s inability to expose data with very high sensitivity separates it from CVE-2023-4966. “This bug is nearly identical to the Citrix Bleed vulnerability (CVE-2023-4966), except it is less likely to return highly sensitive information to an attacker,” the blog added.
Citrix silently patched the flaw
While the vulnerability has not been assigned a CVE ID, probably because Citrix has made no public disclosure about the vulnerability until now, it was observed to be fixed in NetScaler version 13.1-51.15.
There is speculation that the company has silently addressed the issue without making any disclosures. Bishop Fox urged users to update to version 13.1-51.15 or later as a solution to this vulnerability.
“The vulnerability allows an attacker to recover potentially sensitive data from memory,” Bishop Fox added. “Although in most cases nothing of value is returned, we have observed instances where POST request bodies are leaked. These POST requests may contain credentials or cookies.” It is unclear whether Citrix had disclosed this vulnerability privately to its customers or had even acknowledged the issue raised by Bishop Fox as a vulnerability.