CVE-2023-6548 & CVE-2023-6549: DoS and RCE Vulnerabilities Exploited in Citrix NetScaler ADC and NetScaler Gateway

Share :

On January 16, 2024, Citrix published a security bulletin disclosing two zero-day vulnerabilities (CVE-2023-6548 & CVE-2023-6549) being actively exploited in Citrix NetScaler ADC and NetScaler Gateway.

 

CVE-2023-6548 CVSS 5.5 – Medium Actively Exploited?
Code injection vulnerability on the Management Interface can result in authenticated Remote Code Execution (RCE) for low-privileged threat actors.

·       Pre-requisite: Access to NSIP, CLIP or SNIP with management interface access is required by threat actors to exploit this vulnerability

Yes
CVE-2023-6549 CVSS 8.2 – High Actively Exploited?
Buffer overflow vulnerability that can lead to a Denial of Service (DoS).

·       Pre-requisite: To be susceptible to Denial of Service (DoS) attacks, the appliances must be set up either as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server.

Yes

Specifics of the exploitation observed by Citrix have not been revealed and Arctic Wolf has not identified any public Proof of Concept (PoC) exploits. However, we assess more threat actors are likely to target these vulnerabilities in the near-term due to the potential level of access they can obtain once compromising an appliance. Threat actors have also previously exploited several vulnerabilities targeting Citrix NetScaler ADC and NetScaler Gateway. Most notably in late 2023, nation-state and ransomware threat actors exploited the information disclosure vulnerability CVE-2023-4966 (Citrix Bleed) against several high profile organizations.

Although there is currently no evidence linking these vulnerabilities directly to Citrix Bleed, Arctic Wolf will continue to closely monitor the situation for any emerging threats or developments.

This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

Recommendation

Upgrade Citrix NetScaler ADC and NetScaler Gateway to Fixed Version

Arctic Wolf strongly recommends upgrading Citrix NetScaler ADC and NetScaler Gateway their respective fixed versions.

Product Affected Versions Fixed Versions
Citrix NetScaler ADC ·       14.1 before 14.1-12.35

·        13.1 before 13.1-51.15

·       13.0 before 13.0-92.21

·       13.1-FIPS before 13.1-37.176

·       12.1-FIPS before 12.1-55.302

·       12.1-NDcPP before 12.1-55.302

·       14.1-12.35 and later releases

·        13.1-51.15 and later releases of 13.1

·       13.0-92.21 and later releases of 13.0

·       13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS

·       12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS

·       12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP

Citrix NetScaler Gateway ·       14.1 before 14.1-12.35

·        13.1 before 13.1-51.15

·       13.0 before 13.0-92.21

·       14.1-12.35 and later releases

·        13.1-51.15 and later releases of 13.1

·       13.0-92.21 and later releases of 13.0

Note: Citrix NetScaler ADC and NetScaler Gateway version 12.1 has reached its End of Life (EOL). We strongly advise customers to proceed with upgrading their appliances to a supported version that addresses the existing vulnerabilities.

Please follow your organization’s patching and testing guidelines to avoid operational impact.

References

  1. Citrix Article
  2. CISA Adds Vulnerabilities to KEV
  3. Arctic Wolf Blog (CVE-2023-4966)
Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security and holds a bachelor’s degree in Cybersecurity Engineering.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter