Citrix NetScaler devices face active zero-day exploitations

Citrix has warned its NetScaler ADC and NetScaler Gateway customers against two critical zero-day vulnerabilities that have active exploitations in the wild.

Tracked as CVE-2023-6548 and CVE-2023-6549, the vulnerabilities allow miscreants to perform remote code execution (RCE) and denial-of-service (DoS) attacks on the affected devices.

“The vulnerabilities only apply to customer-managed NetScaler ADC and NetScaler Gateway products,” Citrix said in a security advisory. “Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.”

NetScaler Application Delivery Controller (ADC) and NetScaler Gateway are network solution appliances, designed to support the performance, security, and availability of applications and services within enterprise networks.

Flaws need pre-requisites for infection

The RCE enabling flaw (CVE-2023-6548) found in the appliances only impacts the management interface, according to Citrix. The bug can therefore be mitigated by performing a simple network segregation.

“Cloud Software Group strongly recommends that network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic,” Citrix said. “In addition, we recommend that you do not expose the management interface to the internet, as explained in the secure deployment guide.”

The advisory lists having prior access to NetScaler IP (NSIP), Cluster IP (CLIP), or Subnet IP (SNIP) with management interface access as a prerequisite for the exploitation of CVE-2023-6548. The vulnerability carries a common vulnerability scoring system (CVSS) score of 5.5, making it a flaw with “medium” criticality.

CVE-2023-6549, with a CVSS score of 8.2, is a vulnerability with “high” criticality and requires the appliances to be “configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy),” according to the advisory.

Impacted appliances run earlier versions

The affected appliances include the ones running outdated versions of the NetScaler ADC and NetScaler Gateway. Faulty versions include NetScaler ADC and NetScaler Gateway 13.0 (before 13.0-92.21), 13.1 (before 13.1-51.15), and 14.1(14.1-12.35).

Additionally, the Federal Information Processing Standard (FIPS) compliant versions including, NetScaler ADC FIPS 12.1 (before 12.1-55.302), and 13.1 (before 13.1-37.176) are also affected. NetScaler ADC 12.1-NDcPP before 12.1-55.302, compliant under Network Device Collaborative Protection Profile, are affected too.

“NetScaler ADC and NetScaler Gateway version 12.1 is now End of Life (EOL) and is vulnerable,” Citrix added.

Citrix has recommended customers immediately update to the latest supported versions as they address these vulnerabilities. “Exploits of these CVEs on unmitigated appliances have been observed,” Citrix said. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.” Citrix recently discovered multiple high-severity vulnerabilities in the same product lines.

Zero-day vulnerability

Go to Source