The advisory lists having prior entry to NetScaler IP (NSIP), Cluster IP (CLIP), or Subnet IP (SNIP) with administration interface entry as a prerequisite for the exploitation of CVE-2023-6548. The vulnerability carries a standard vulnerability scoring system (CVSS) rating of 5.5, making it a flaw with “medium” criticality.
CVE-2023-6549, with a CVSS rating of 8.2, is a vulnerability with “excessive” criticality and requires the home equipment to be “configured as a Gateway (VPN digital server, ICA Proxy, CVPN, RDP Proxy),” based on the advisory.
Impacted home equipment run earlier variations
The affected home equipment embody those working outdated variations of the NetScaler ADC and NetScaler Gateway. Defective variations embody NetScaler ADC and NetScaler Gateway 13.0 (earlier than 13.0-92.21), 13.1 (earlier than 13.1-51.15), and 14.1(14.1-12.35).
Moreover, the Federal Data Processing Customary (FIPS) compliant variations together with, NetScaler ADC FIPS 12.1 (earlier than 12.1-55.302), and 13.1 (earlier than 13.1-37.176) are additionally affected. NetScaler ADC 12.1-NDcPP earlier than 12.1-55.302, compliant underneath Community Gadget Collaborative Safety Profile, are affected too.
“NetScaler ADC and NetScaler Gateway model 12.1 is now Finish of Life (EOL) and is weak,” Citrix added.
Citrix has really useful prospects instantly replace to the newest supported variations as they handle these vulnerabilities. “Exploits of those CVEs on unmitigated home equipment have been noticed,” Citrix stated. “Cloud Software program Group strongly urges affected prospects of NetScaler ADC and NetScaler Gateway to put in the related up to date variations as quickly as potential.” Citrix not too long ago found a number of high-severity vulnerabilities in the identical product strains.
