What vulnerabilities were reported by Citrix in their NetScaler products?

Citrix reported two vulnerabilities affecting NetScaler Console, NetScaler SVM, and NetScaler Agent. These vulnerabilities can potentially allow attackers to access sensitive information and cause denial of service (DoS) attacks.

What are the details of the vulnerabilities CVE-2024-6235 and CVE-2024-6236?

CVE-2024-6235 (CVSS score 9.4) involves improper authentication leading to sensitive information disclosure, requiring access to the NetScaler Console IP. CVE-2024-6236 (CVSS score 7.1) involves improper restriction of operations within the bounds of a memory buffer, leading to a potential DoS attack, requiring access credentials to the NetScaler Console IP, NetScaler Agent IP, or SVM IP.

Which versions of NetScaler products are affected by these vulnerabilities?

CVE-2024-6235 affects NetScaler Console versions 14.1 before 14.1-25.53. CVE-2024-6236 affects NetScaler Console versions 14.1 before 14.1-25.53, 13.1 before 13.1-53.22, and 13.0 before 13.0-92.31; NetScaler SVM versions 14.1 before 14.1-25.53, 13.1 before 13.1-53.17, and 13.0 before 13.0-92.31; and NetScaler Agent versions 14.1 before 14.1-25.53, 13.1 before 13.1-53.22, and 13.0 before 13.0-92.31.

What actions does Citrix recommend to address these vulnerabilities?

Citrix strongly advises customers to update their NetScaler products to the latest versions: NetScaler Console 14.1-25.53 and later releases of 14.1, 13.1-53.22 and later releases of 13.1, and 13.0-92.31 and later releases of 13.0; NetScaler SVM 14.1-25.53 and later releases of 14.1, 13.1-53.17 and later releases of 13.1, and 13.0-92.31 and later releases of 13.0; NetScaler Agent 14.1-25.53 and later releases of 14.1, 13.1-53.22 and later releases of 13.1, and 13.0-92.31 and later releases of 13.0.

Advisory

Citrix reports critical NetScaler flaw exposing sensitive information to attackers

published: July 10, 2024

Take action: If you are using NetScaler Console (formerly NetScaler ADM), NetScaler SVM, and NetScaler Agent, plan to patch. First make sure your NetScaler Console is not exposed to the internet, then update quickly.

Learn More

Citrix is reporting two vulnerabilities affecting its NetScaler Console (formerly NetScaler ADM), NetScaler SVM, and NetScaler Agent, potentially allowing attackers to access sensitive information and cause denial of service (DoS) attacks.

Citrix discovered these vulnerabilities through internal research and is unaware of any wild exploits. However, the company emphasizes the importance of prompt action, especially for customers with NetScaler Console exposed to the public internet.

The vulnerabilities are tracked as:

CVE-2024-6235 (CVSS score 9.4) : This vulnerability involves improper authentication and can lead to sensitive information disclosure. Exploitation requires access to the NetScaler Console IP.
CVE-2024-6236 (CVSS score 7.1): This vulnerability is due to improper restriction of operations within the bounds of a memory buffer , leading to a potential DoS attack. Exploitation requires access credentials to the NetScaler Console IP, NetScaler Agent IP, or SVM IP.

Affected Versions

CVE-2024-6235 affects NetScaler Console versions:
- 14.1 before 14.1-25.53
CVE-2024-6236 affects:
- NetScaler Console versions 14.1 before 14.1-25.53, 13.1 before 13.1-53.22, and 13.0 before 13.0-92.31
- NetScaler SVM versions 14.1 before 14.1-25.53, 13.1 before 13.1-53.17, and 13.0 before 13.0-92.31
- NetScaler Agent versions 14.1 before 14.1-25.53, 13.1 before 13.1-53.22, and 13.0 before 13.0-92.31

Citrix strongly advises customers to update their NetScaler products to the latest versions to address these vulnerabilities:

NetScaler Console 14.1-25.53 and later releases of 14.1
NetScaler Console 13.1-53.22 and later releases of 13.1
NetScaler Console 13.0-92.31 and later releases of 13.0
NetScaler SVM 14.1-25.53 and later releases of 14.1
NetScaler SVM 13.1-53.17 and later releases of 13.1
NetScaler SVM 13.0-92.31 and later releases of 13.0
NetScaler Agent 14.1-25.53and later releases of 14.1
NetScaler Agent 13.1-53.22 and later releases of 13.1
NetScaler Agent 13.0-92.31and later releases of 13.0

Citrix reports critical NetScaler flaw exposing sensitive information to attackers

Read More
Monitoring software Centreon patches multiple SQL Injection flaws
Multiple security flaws, two critical expose IBM Db2 …
Critical UUID Flaw in Fiber v2 Framework Enables …
Veeam patches critical vulnerability in the Veeam Updater …
HPE Patches Multiple Flaws Aruba AOS-CX Including Critical …