Another Citrix NetScaler flaw gives access to sensitive data
Take action: This feels like beating a dead horse. Yes, it's time to patch your Citrix Netscaler once again. No, you can't ignore this because by it's nature Netscaler is exposed to the internet (and hackers). And yet there will be people who ignore this advisory and be hacked once again through their Citrix Netscaler.
Learn More
Another critical vulnerability has been reported in Citrix NetScaler ADC and NetScaler Gateway. This flaw could lead to the unwanted exposure of confidential data from susceptible devices. This is another blow in the Citrix gateway security, after the discovery of a critical flaw in July, and it's subsequent series of exploitations by hackers.
CVE-2023-4966 (CVSS score 9.4) can be exploited remotely without elevated privileges, user participation, or complex methods.
Only appliances set up as Gateways (such as VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server are susceptible to this vulnerability. While reporting that exploitation might result in the disclosure of "sensitive data", Citrix remains tight-lipped about the specific nature of the exposed data.
Another vulnerability, tracked as CVE-2023-4967 (CVSS score 8.2) can potentially initiate a denial of service (DoS) attack on compromised gadgets. There's a similarity in prerequisites for this flaw as with the former.
Versions of Citrix that are vulnerable include:
- NetScaler ADC and NetScaler Gateway 14.1 up to 14.1-8.50
- Versions up to 13.1-49.15 of NetScaler ADC and NetScaler Gateway 13.1
- Versions up to 13.0-92.19 of NetScaler ADC and NetScaler Gateway 13.0
- NetScaler ADC 13.1-FIPS up to 13.1-37.164
- NetScaler ADC 12.1-FIPS up to 12.1-55.300
- NetScaler ADC 12.1-NDcPP up to 12.1-55.300
Citrix hasn't offered any mitigation techniques or provisional solutions.
Citrix's security announcement mentions, "We strongly advocate that customers using NetScaler ADC and NetScaler Gateway promptly shift to the updated versions."
Recommended versions for update are:
- NetScaler ADC and NetScaler Gateway 14.1-8.50 or newer
- NetScaler ADC and NetScaler Gateway 13.1-49.15 or subsequent 13.1 versions
- 13.0-92.19 or subsequent versions of NetScaler ADC and NetScaler Gateway 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.164 or later
- NetScaler ADC 12.1-FIPS 12.1-55.300 or subsequent versions
- 12.1-55.300 or subsequent versions of NetScaler ADC 12.1-NDcPP
It's noteworthy that version 12.1 is no longer in service and won't receive further support from Citrix. Thus, an upgrade to a newer supported version is advised.
