On October 10, 2023, Citrix issued a security bulletin describing a critical vulnerability in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway (CVE-2023-4966, CVSS: 9.4). This vulnerability enables an unauthenticated remote threat actor to access memory outside the intended buffer boundaries when certain operations are performed on a memory buffer. The appliance must meet the pre-requisite of being configured as a Gateway (VPN virtual server, ICA proxy, CVPN, RDP Proxy) or AAA virtual server to be vulnerable to CVE-2023-4966. The specifics of which type of data a threat actor can access has not been disclosed by Citrix.
Product | Vulnerability | Affected Version |
Citrix NetScaler ADC (formerly Citrix ADC) |
CVE-2023-4966 |
|
Citrix NetScaler Gateway (formerly Citrix Gateway) |
CVE-2023-4966 |
|
Note: Citrix NetScaler ADC and Citrix NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable.
At this time, Arctic Wolf has not observed a public Proof of Concept (PoC) or active exploitation of this vulnerability in the wild. Citrix products are an attractive target for threat actors, as observed earlier in the year when threat actors were exploiting a critical remote code execution (RCE) vulnerability in Citrix ADC and Citrix Gateway. Multiple Citrix vulnerabilities have also been added to CISA’s Known Exploited Vulnerabilities Catalog.
This security bulletin only applies to customer-managed Citrix NetScaler ADC and Citrix NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not affected by this vulnerability.
Recommendation for CVE-2023-4966
Upgrade Citrix NetScaler ADC and Citrix NetScaler Gateway to Fixed Version
Arctic Wolf strongly recommends installing the updated versions Citrix NetScaler ADC and Citrix NetScaler Gateway.
Product |
Affected Version | Fixed Version |
Citrix NetScaler ADC (formerly Citrix ADC) |
|
|
Citrix NetScaler Gateway (formerly Citrix Gateway) |
|
|
Please follow your organization’s patching and testing guidelines to avoid operational impact.