Just when you thought you had recovered from Bleed, two vulnerabilities in NetScaler’s ADC and Gateway products have been rectified, though not before malicious actors discovered and exploited them, according to the vendor.
CVE-2023-6548 could potentially enable remote code execution (RCE) within the appliances’ management interface. Despite its low 5.5 CVSS rating for an RCE bug, it necessitates the attacker to be authenticated, albeit with low-level privileges, and to possess access to NetScaler IP (NSIP), Subnet IP (SNIP), or cluster management IP (CLIP) with management interface access.
Furthermore, this vulnerability remains non-exploitable if the management console and related technologies are not configured for exposure to the public internet, as NetScaler’s configuration guidelines recommend it to be set up solely on a private network. TLDR: Adhering to Citrix’s instructions should ensure the safety of your appliances.
The downside? As per Shadowserver, just over 1,400 Netscaler management interfaces are exposed on the internet as of Wednesday afternoon.
The second bug, identified as CVE-2023-6549, could potentially trigger a denial-of-service attack, boasting an 8.2 CVSS rating. A successful exploit necessitates the appliance to be configured as a gateway (e.g., VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server providing authentication, authorization, and accounting controls.
“Exploits of these CVEs on unmitigated appliances have been observed,” according to a Tuesday security alert from Citrix.
These flaws solely impact customer-managed NetScaler ADC and NetScaler Gateway, hence customers utilizing Netscaler-managed services need not fret about any of this.
Affected products include:
Customers are advised to install updated versions: “We recommend immediate application of fixes,” according to the vendor’s guidance.
In response to The Register’s inquiries, Citrix mentioned being aware of “only a limited number of exploits in the wild.”
“The vulnerabilities only apply to customer-managed instances and do not apply to cloud managed services,” the vendor added. “NetScaler recommends customers apply the fixes quickly before the exploitation becomes widespread.”
The US Cybersecurity and Infrastructure Security Agency has promptly added the two vulnerabilities to its Known Exploited Vulnerabilities Catalog.
And while this may evoke memories of Citrix-Bleed, the vendor assures that these new bugs under attack are unrelated to that zero-day. Citrix Bleed, of course, is the critical information-disclosure bug affecting NetScaler ADC and NetScaler Gateway, disclosed in October and utilized to infect victims with ransomware and pilfer, among other data, millions of Comcast Xfinity subscribers’ personal information.
Unlike Citrix Bleed, the latest security flaws do not facilitate data exfiltration, rendering them less appealing to potential digital thieves and ransomware crews.
A couple of Tenable security research engineers offered insights on the vulnerabilities. Satnam Narang and Scott Caveza noted that although these mark the second and third zero-days for Citrix appliances in the last four months, “the impact from these two new zero-day vulnerabilities is not expected to be as significant as Citrix Bleed.”
“Nonetheless, organizations employing these appliances in their networks should apply the available patches as soon as possible,” the duo added.