On the 10th of October 2023, Citrix issued critical updates for two vulnerabilities in the NetScaler ADC and NetScaler Gateway . Because of recent active exploitation of these vulnerabilities, the associated risk was upgraded . This triggered us to now publish this threat response. We urge all recipients to install updates on vulnerable appliances as soon as possible.
The two vulnerabilities exclusively impact customer-managed NetScaler ADC and NetScaler Gateway appliances and not the Citrix-managed cloud services or Citrix-managed Adaptive Authentication.
Since these vulnerabilities could have a big impact, we would like to warn you and advise you on actions to take to mitigate the risk of the vulnerability.
The vulnerability is tracked under two CVEs: CVE-2023-4966 (CVSS-score 9.4) and CVE-2023-4967 (CVSS-score 8.2). CVE-2023-4966 allows remote attackers to hijack existing authenticated sessions, circumventing security measures such as Multi-Factor Authentication (MFA), and potentially resulting in the exposure of sensitive information. Citrix did not explain what type of information can be disclosed to an attacker . However exploitation examples in the the wild have been identified by Mandiant . The second vulnerability CVE-2023-4967 allows remote attackers to hijack existing authentication sessions with the intent of launching a Denial of Service (DoS) attack on vulnerable appliances .
The following supported versions of NetScaler ADC and NetScaler Gateway are vulnerable, where both the appliances must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as AAA virtual server:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
Please note that the NetScaler ADC and NetScaler Gateway versions prior to 12.1 are End-of-Life and is vulnerable. It is recommended to update to one of the supported versions.
The vulnerabilities allow for an attacker to seize control over an existing user’s authenticated session. This potentially leads to unauthorised access to the system, including the acquisition of login credentials, lateral movement, access to sensitive resources, and DoS-attacks . Northwave assumes that exploitation of these vulnerabilities will have a high impact.
We estimate the risk of these vulnerabilities as high, because of the popularity of these NetScaler ADC and NetScaler Gateway and the widespread usage of these appliances. The main risk is that an attacker could gain unauthenticated access to the systems, enabling sensitive information disclosure and DoS attacks. Mandiant’s findings suggest active exploitation since August 2023 .
Citrix issued updates for the vulnerabilities on October 10th. We advise users which use the vulnerable versions to update the following versions as soon as possible:
- For NetScaler ADC and NetScaler Gateway 14.1 to at least build 14.1-8.50
- For NetScaler ADC and NetScaler Gateway 13.1 to at least build 13.1-49.15
- For NetScaler ADC and NetScaler Gateway 13.0 to at least build 13.0-92.19
- For NetScaler ADC 13.1-FIPS to at least build 13.1-37.164
- For NetScaler ADC 12.1-FIPS to at least build 12.1-55.300
- For NetScaler ADC 12.1-NDcPP to at least build 12.1-55.300
What should you do?
We recommend to update the NetScaler ADC and NetScaler Gateway to one of the versions mentioned above as soon as possible, if you use a vulnerable version of the software. Bear in mind that existing sessions may persist after the update .
It is advised to perform the following measures after the update :
Terminate all active authenticated sessions.
Rotate the credentials.
In case of identified web shells or backdoors, rebuild the appliances from a clean-source image.
If an immediate update is not possible, it is suggested to limit the access to devices only to trusted IP address ranges .
What will Northwave do?
We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
E-mail: firstname.lastname@example.org Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
Disclaimer applies, see below.