Citrix has fixed a critical-severity vulnerability in NetScaler Console, its cloud-based monitoring and management product, which if exploited could give attackers unauthorized access to sensitive data.
The flaw (CVE-2024-6235), which scores 9.4 out of 10 on the CVSS scale, stems from improper authentication and could be exploited with an attacker that has access to a NetScaler Console IP. Versions of NetScaler Console 14.1 before 14.1-25.53 are impacted. In separate advisories, both the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Centre urged users and administrators to apply updates for the flaw, as well as several other vulnerabilities patched by Citrix on Tuesday.
“Citrix released security updates to address vulnerabilities in multiple Citrix products,” according to CISA’s alert on Tuesday. “A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.”
Citrix also fixed a high-severity denial-of-service flaw in its NetScaler Console, which also exist in the NetScaler Agent and NetScaler Service Virtual Machine (SVM). The bug (CVE-2024-6236) stems from the improper restriction of operations within the bounds of a memory buffer, and an attacker with access to a NetScaler Console, NetScaler Agent or SVM IP could launch denial-of-service attacks. Citrix also warned of another high-severity denial-of-service bug (CVE-2024-5491) in its NetScaler ADC and Gateway appliances.
“Cloud Software Group strongly urges customers of NetScaler Console to install the relevant updated versions of NetScaler Console as soon as possible,” according to Citrix’s NetScaler security advisory.
In the Citrix Workspace app for Windows, a high-severity vulnerability (CVE-2024-6286) was patched that could give low-privileged attackers SYSTEM privileges if they have local access to the targeted system. The flaw impacts the Citrix Workspace app for Windows versions before 2403.1 in the current release (fixes are available in 2403.1 and later versions) and versions before 2402 in the long-term service release (fixes are available in 2402 and later versions).
NetScaler has previously been a target for threat actors. Last year, threat actors exploited a critical-severity flaw in Citrix NetScaler ADC and Gateway appliances in order to target professional services, technology and government organizations. The flaw (CVE-2023-4966) stemmed from an unauthenticated buffer-related issue and could enable sensitive information disclosure.