Citrix is warning of two vulnerabilities in its NetScaler Application Delivery Controller (ADC) and Gateway appliances that are being exploited in the wild.
The two flaws in Citrix’s network solution appliances include a high-severity denial-of-service bug (CVE-2023-6549) and a medium-severity remote code execution flaw (CVE-2023-6548). Citrix said it is aware of a "limited number of exploits" in the wild and urged impacted customers to apply updates.
“Exploits of these CVEs on unmitigated appliances have been observed,” according to Citrix’s security advisory on Tuesday. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”
Several versions are impacted; including NetScaler ADC and NetScaler Gateway 14.1 (before 14.1-12.35), 13.1 (before 13.1-51.15), 13.0 (before 13.0-92.21), NetScaler ADC 13.1-FIPS (before 13.1-37.176), NetScaler ADC 12.1-FIPS (before 12.1-55.302) and NetScaler ADC 12.1-NDcPP (before 12.1-55.302). NetScaler ADC and NetScaler Gateway version 12.1 (an end of life version) is also vulnerable.
In order to exploit CVE-2023-6548, an attacker would need to be authenticated and have access to NetScaler IP (NSIP), Subnet IP (SNIP), or cluster management IP (CLIP), as well as access to the appliance’s management interface. For appliances to be vulnerable to CVE-2023-6549 they would need to be configured as a Gateway (for instance as a VPN virtual server, ICA Proxy, CVPN or RDP Proxy) or as a AAA virtual server.
If customers are using the impacted builds and have NetScaler ADC or the NetScaler Gateway management IP on the public internet, Citrix strongly recommended that they "immediately install the recommended builds."
“CVE-2023-6548 only impacts the management interface,” according to Citrix. “Cloud Software Group strongly recommends that network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic. In addition, we recommend that you do not expose the management interface to the internet, as explained in the secure deployment guide. Removing such exposure to the internet greatly reduces the risk of exploitation of this issue.”
Citrix said that CVE-2023-6548 was discovered as a result of a customer report, while CVE-2023-6549 was found internally (and a customer subsequently reported an exploit).
Flaws in Citrix NetScaler and ADC Gateway have historically been targeted by threat actors, including an unauthenticated remote code execution bug (CVE-2023-3519) in September and one in October (CVE-2023-4966) called CitrixBleed, which led to widespread exploitation targeting professional services, technology and government organizations.
“The impact from these two new zero-day vulnerabilities is not expected to be as significant as CitrixBleed,” said Satnam Narang and Scott Caveza, researchers with Tenable, in a Tuesday post. “Nonetheless, organizations that do use these appliances in their networks should apply the available patches as soon as possible.”