Citrix on Tuesday introduced patches for a critical-several vulnerability impacting a number of variations of NetScaler Software Supply Controller (ADC) and NetScaler Gateway.
Tracked as CVE-2023-4966 (CVSS rating of 9.4), the security defect might result in delicate data disclosure, the tech big notes in an advisory.
Based on Citrix, the problem might be exploited with out authentication on home equipment which can be configured as a Gateway or an AAA digital server.
The flaw impacts NetScaler ADC and NetScaler Gateway variations 14.1, 13.1, 13.0, and NetScaler ADC 13.1-FIPS, 12.1-FIPS, and 12.1-NDcPP.
Citrix has launched NetScaler ADC and NetScaler Gateway variations 14.1-8.50, 13.1-49.15, 13.0-92.19, and NetScaler ADC 13.1-FIPS 13.1-37.164, 12.1-FIPS 12.1-55.300, and 12.1-NDcPP 12.1-55.300 to deal with the vulnerability.
“NetScaler ADC and NetScaler Gateway model 12.1 is now Finish-of-Life (EOL) and is susceptible. Prospects are advisable to improve their home equipment to one of many supported variations that tackle the vulnerabilities,” Citrix says.
The corporate additionally notes that solely customer-managed NetScaler ADC and Gateway merchandise are impacted and must be up to date to a patched launch.
The updates additionally tackle a high-severity denial-of-service (DoS) flaw – CVE-2023-4967, CVSS rating of 8.2 – impacting merchandise configured as gateways or AAA digital servers.
On Tuesday, Citrix additionally introduced hotfixes for 5 vulnerabilities in Citrix Hypervisor 8.2 CU1 LTSR that would enable malicious code working in a visitor VM to compromise the host, crash the host, crash one other VM working on the host, or entry data from code working on the identical CPU core.
4 of those points (CVE-2023-20588, CVE-2023-34324, CVE-2023-34326, and CVE-2023-3432) solely influence techniques working on AMD CPUs, whereas the fifth (CVE-2022-1304) can solely be exploited when a number administrator makes use of a restore sub-option within the on-host xsconsole interface.
“Word that there’s not a one-to-one correlation between these hotfixes and the addressed points; we advocate that you simply all the time apply all the hotfixes,” the tech big’s advisory reads.
Citrix makes no point out of any of those vulnerabilities being exploited within the wild, however risk actors are identified to have focused publicly disclosed NetScaler ADC and Gateway vulnerabilities in malicious assaults.
The US cybersecurity company CISA warns that attackers might exploit one in every of these vulnerabilities to take management of affected techniques and encourages directors to assessment Citrix’s advisories and apply the required patches.
