October 10, 2023 at 11:55AM
Citrix NetScaler ADC and NetScaler Gateway are affected by two vulnerabilities, CVE-2023-4966 and CVE-2023-4967. The first flaw allows for the disclosure of sensitive information, while the second can lead to denial of service. Upgrading to the recommended fixed versions is advised. Version 12.1 has reached end-of-life and no longer receives support. This information is important as critical-severity flaws in Citrix products are often targeted by hackers, as demonstrated by recent exploitation of a similar flaw.
Meeting Notes Summary:
Citrix NetScaler ADC and NetScaler Gateway have been affected by a critical severity flaw, identified as CVE-2023-4966. This flaw allows for the disclosure of sensitive information from vulnerable appliances. It has a CVSS rating of 9.4 and can be remotely exploited without requiring high privileges, user interaction, or high complexity. However, the appliance must be configured as a Gateway or an AAA virtual server to be vulnerable. The vendor has not provided specific details about the exposed information.
Another vulnerability, CVE-2023-4967, has also been disclosed. This high-severity flaw carries the same prerequisites and can potentially cause denial of service (DoS) on vulnerable devices. It has a CVSS score of 8.2.
The affected versions of Citrix products include NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50, NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15, NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19, NetScaler ADC 13.1-FIPS before 13.1-37.164, NetScaler ADC 12.1-FIPS before 12.1-55.300, and NetScaler ADC 12.1-NDcPP before 12.1-55.300.
The recommended action is to upgrade to a fixed version that addresses the security updates for both flaws. Citrix has not provided any mitigation tips or workarounds this time.
Citrix advises affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible. The target versions to upgrade to are specified.
It is important to note that version 12.1 of Citrix products has reached its end of life (EOL) date and will no longer be supported. Users are advised to upgrade to a newer and actively supported release.
Critical-severity flaws in Citrix products are highly sought-after by hackers, as they are used by large organizations with valuable assets. An example of recent exploitation is CVE-2023-3519, a critical remote code execution flaw fixed by Citrix as a zero-day in July 2023. This flaw is currently being actively exploited by cybercriminals to plant backdoors and steal credentials.
Full Article – https://ift.tt/EUWjVc2