Citrix NetScaler ADC and NetScaler Gateway are impacted by a vital severity flaw that enables the disclosure of delicate data from weak home equipment.
The flaw is tracked as CVE-2023-4966 and has acquired a CVSS score of 9.4, being remotely exploitable with out requiring excessive privileges, person interplay, or excessive complexity.
Nonetheless, there’s the prerequisite of the equipment to be configured as a Gateway (VPN digital server, ICA Proxy, CVPN, RDP Proxy) or an AAA digital server for it to be weak to assaults.
Whereas the flaw’s exploitation can result in “delicate data disclosure,” the seller has not offered any particulars about what data is uncovered.
A second vulnerability disclosed in the identical bulletin is CVE-2023-4967, a high-severity (CVSS rating: 8.2) flaw carrying the identical conditions, which might probably trigger denial of service (DoS) on weak units.
The affected variations of Citrix merchandise are:
- NetScaler ADC and NetScaler Gateway 14.1 earlier than 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 earlier than 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 earlier than 13.0-92.19
- NetScaler ADC 13.1-FIPS earlier than 13.1-37.164
- NetScaler ADC 12.1-FIPS earlier than 12.1-55.300
- NetScaler ADC 12.1-NDcPP earlier than 12.1-55.300
The really useful motion is to improve to a hard and fast model that implements security updates addressing the 2 flaws. Citrix has offered no mitigation ideas or workarounds this time.
“Cloud Software program Group strongly urges affected prospects of NetScaler ADC and NetScaler Gateway to put in the related up to date variations of NetScaler ADC and NetScaler Gateway as quickly as attainable,” reads Citrix’s security bulletin.
The goal variations to improve to are:
- NetScaler ADC and NetScaler Gateway 14.1-8.50 and later
- NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
- NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
It’s famous that model 12.1 has reached its finish of life (EOL) date and can now not be supported by Citrix. Therefore, customers are really useful to improve to a more recent, actively supported launch.
Important-severity flaws in Citrix merchandise are extremely sought-after by hackers, as giant organizations with invaluable property use these units.
A current instance of such exploitation is CVE-2023-3519, a vital distant code execution flaw Citrix fastened as a zero-day in July 2023.
This flaw is at present underneath lively exploitation by quite a few cybercriminals who leverage the obtainable exploits for planting backdoors and stealing credentials.
