On January 16, 2024, Citrix published a security bulletin disclosing two zero-day vulnerabilities (CVE-2023-6548 & CVE-2023-6549) being actively exploited in Citrix NetScaler ADC and NetScaler Gateway.
| CVE-2023-6548 | CVSS 5.5 – Medium | Actively Exploited? | |
| Code injection vulnerability on the Management Interface can result in authenticated Remote Code Execution (RCE) for low-privileged threat actors.
· Pre-requisite: Access to NSIP, CLIP or SNIP with management interface access is required by threat actors to exploit this vulnerability |
Yes | ||
| CVE-2023-6549 | CVSS 8.2 – High | Actively Exploited? | |
| Buffer overflow vulnerability that can lead to a Denial of Service (DoS).
· Pre-requisite: To be susceptible to Denial of Service (DoS) attacks, the appliances must be set up either as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server. |
Yes | ||
Specifics of the exploitation observed by Citrix have not been revealed and Arctic Wolf has not identified any public Proof of Concept (PoC) exploits. However, we assess more threat actors are likely to target these vulnerabilities in the near-term due to the potential level of access they can obtain once compromising an appliance. Threat actors have also previously exploited several vulnerabilities targeting Citrix NetScaler ADC and NetScaler Gateway. Most notably in late 2023, nation-state and ransomware threat actors exploited the information disclosure vulnerability CVE-2023-4966 (Citrix Bleed) against several high profile organizations.
Although there is currently no evidence linking these vulnerabilities directly to Citrix Bleed, Arctic Wolf will continue to closely monitor the situation for any emerging threats or developments.
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.
Recommendation for CVE-2023-6548 & CVE-2023-6549
Upgrade Citrix NetScaler ADC and NetScaler Gateway to Fixed Version
Arctic Wolf strongly recommends upgrading Citrix NetScaler ADC and NetScaler Gateway their respective fixed versions.
| Product | Affected Versions | Fixed Versions |
| Citrix NetScaler ADC | · 14.1 before 14.1-12.35
· 13.1 before 13.1-51.15 · 13.0 before 13.0-92.21 · 13.1-FIPS before 13.1-37.176 · 12.1-FIPS before 12.1-55.302 · 12.1-NDcPP before 12.1-55.302 |
· 14.1-12.35 and later releases
· 13.1-51.15 and later releases of 13.1 · 13.0-92.21 and later releases of 13.0 · 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS · 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS · 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP |
| Citrix NetScaler Gateway | · 14.1 before 14.1-12.35
· 13.1 before 13.1-51.15 · 13.0 before 13.0-92.21 |
· 14.1-12.35 and later releases
· 13.1-51.15 and later releases of 13.1 · 13.0-92.21 and later releases of 13.0 |
Note: Citrix NetScaler ADC and NetScaler Gateway version 12.1 has reached its End of Life (EOL). We strongly advise customers to proceed with upgrading their appliances to a supported version that addresses the existing vulnerabilities.
Please follow your organization’s patching and testing guidelines to avoid operational impact.
