Two vulnerabilities in NetScaler’s ADC and Gateway products have been fixed – but not before criminals found and exploited them, according to the vendor.
CVE-2023-6548 could allow remote code execution (RCE) in the appliances’ management interface. It received a 5.5 CVSS rating, which is low for an RCE bug. One reason for this may be because it does require the attacker to be authenticated, albeit with low-level privileges, and they must have access to NetScaler IP (NSIP), Subnet IP (SNIP), or cluster management IP (CLIP) with management interface access.
In addition, this vulnerability cannot be exploited if the management console and related tech is not configured with exposure to the public internet, and NetScaler’s configuration instructions recommend that it only be configured on a private network. TLDR: If you followed Citrix’s instructions, your appliances should be safe.
The bad news? According to Shadowserver, just over 1,400 Netscaler management interfaces are exposed on the internet as of Wednesday afternoon.
The second bug, tracked as CVE-2023-6549, could allow a denial-of-service attack, and earned an 8.2 CVSS rating. A successful exploit requires the appliance be configured as a gateway (such as a VPN virtual server, ICA Proxy, CVPN or RDP Proxy) or as an AAA virtual server that provides authentication, authorization, and accounting controls.
“Exploits of these CVEs on unmitigated appliances have been observed,” according to a Tuesday security alert from Citrix.
The flaws only affected customer-managed NetScaler ADC and NetScaler Gateway, so customers using Netscaler-managed services don’t have to worry about any of this.
Vulnerable products include:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
- NetScaler ADC 13.1-FIPS before 13.1-37.176
- NetScaler ADC 12.1-FIPS before 12.1-55.302
- NetScaler ADC 12.1-NDcPP before 12.1-55.302
Customers should install updated versions: “We recommend immediate application of fixes,” according to the vendor’s guidance.
In response to The Register‘s questions, Citrix said it is aware of “only a limited number of exploits in the wild.”
“The vulnerabilities only apply to customer-managed instances and do not apply to cloud managed services,” the vendor added. “NetScaler recommends customers apply the fixes quickly before the exploitation becomes widespread.”
The US Cybersecurity and Infrastructure Security Agency has already added the two vulnerabilities to its Known Exploited Vulnerabilities Catalog.
And while all of this feels very Citrix-Bleed-esque, the vendor assures us that these new bugs under attack are not related to that zero-day. Citrix Bleed, of course, is the critical information-disclosure bug that also affects NetScaler ADC and NetScaler Gateway. It was disclosed in October and abused to infect victims with ransomware and steal, among a ton of other data, millions of Comcast Xfinity subscribers’ personal info.
Unlike Citrix Bleed, the latest security flaws don’t allow for data exfiltration, which makes them not quite as appealing to would-be digital thieves and ransomware crews.
A couple of Tenable security research engineers weighed in on the vulnerabilities. Satnam Narang and Scott Caveza pointed out that although these are Citrix appliances’ second and third zero-days in the last four months, “the impact from these two new zero-day vulnerabilities is not expected to be as significant as Citrix Bleed.”
“Nonetheless, organizations that do use these appliances in their networks should apply the available patches as soon as possible,” the duo added. ®