Citrix patches actively exploited issues in Netscaler ADC and Gateway
Take action: As we have seen from the Citrix Bleed series of incidents, hackers love unpatched Netscaler systems. They are easily visible, exposed to the internet by their very nature and can be attacked with automated tools. Even though there are preconditions for exploit, don't assume those preconditions can't be met. There is always someone somewhere assuming you are fixing their errors. So isolate the Netscaler management interface from the internet, and patch ASAP.
Learn More
On Tuesday, Citrix issued a critical warning to its customers, advising them to promptly implement patches for two newly discovered zero-day vulnerabilities found in Netscaler ADC and Gateway appliances. The vulnerabilities are
- CVE-2023-6548 (CVSS score 5.5)
- CVE-2023-6549 (CVSS score 8.2),
There are several preconditions for successful exploit:
- For successful code execution, an attacker must have access to a low-privilege account on the target device and require access to NSIP, CLIP, or SNIP with management interface privileges.
- Additionally, the appliances are only susceptible to DoS attacks if they are configured as a gateway, such as a VPN virtual server, ICA Proxy, CVPN, or RDP Proxy, or as an AAA virtual server.
Citrix clarifies that these vulnerabilities impact only customer-managed NetScaler appliances, with Citrix-managed cloud services and Citrix-managed Adaptive Authentication remaining unaffected.
The affected Netscaler product versions include:
- NetScaler ADC and NetScaler Gateway 14.1 versions prior to 14.1-12.35
- NetScaler ADC and NetScaler Gateway 13.1 versions prior to 13.1-51.15
- NetScaler ADC and NetScaler Gateway 13.0 versions prior to 13.0-92.21
- NetScaler ADC 13.1-FIPS versions prior to 13.1-37.176
- NetScaler ADC 12.1-FIPS versions prior to 12.1-55.302
- NetScaler ADC 12.1-NDcPP versions prior to 12.1-55.302
Over 1,500 Netscaler management interfaces are currently exposed online. In a security advisory Citrix strongly encourages administrators to update their Netscaler appliances as soon as possible to prevent potential attacks, noting that exploits of these vulnerabilities on unpatched appliances have been observed.
For those still using NetScaler ADC and NetScaler Gateway version 12.1, which is now end-of-life (EOL), upgrading to a supported version is advised.
Administrators who are unable to deploy the security updates immediately should block network traffic to the affected instances and ensure they are not exposed online. Citrix also recommends separating network traffic to the appliance’s management interface from regular network traffic, either physically or logically, and advises against exposing the management interface to the internet.
