Citrix Patches Critical NetScaler ADC, Gateway Vulnerability

Citrix Patches Critical NetScaler ADC, Gateway Vulnerability

October 11, 2023 at 10:07AM

Citrix has released patches for a critical vulnerability in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. The vulnerability, CVE-2023-4966, could lead to sensitive information disclosure and can be exploited without authentication. Citrix advises customers to upgrade their appliances to the supported versions. The company has also addressed a denial-of-service flaw (CVE-2023-4967) and announced hotfixes for vulnerabilities in Citrix Hypervisor. Administrators are urged to review Citrix’s advisories and apply the necessary patches to prevent potential attacks.

During the meeting, Citrix announced patches for multiple vulnerabilities affecting NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. The critical-severity vulnerability, tracked as CVE-2023-4966, could lead to sensitive information disclosure. The issue can be exploited without authentication on appliances configured as a Gateway or an AAA virtual server.
The affected versions include NetScaler ADC and NetScaler Gateway versions 14.1, 13.1, 13.0, 13.1-FIPS, 12.1-FIPS, and 12.1-NDcPP. To address the vulnerability, Citrix has released updated versions of NetScaler ADC and NetScaler Gateway, namely 14.1-8.50, 13.1-49.15, 13.0-92.19, 13.1-FIPS 13.1-37.164, 12.1-FIPS 12.1-55.300, and 12.1-NDcPP 12.1-55.300.
Customers are advised to upgrade their appliances to the supported versions to mitigate the vulnerabilities. It is important to note that only customer-managed NetScaler ADC and Gateway products are impacted.
Additionally, Citrix released hotfixes for five vulnerabilities in Citrix Hypervisor 8.2 CU1 LTSR. These vulnerabilities could allow malicious code in a guest VM to compromise the host, crash the host, crash another VM on the host, or access information from code on the same CPU core. The specific vulnerabilities (CVE-2023-20588, CVE-2023-34324, CVE-2023-34326, CVE-2023-3432, and CVE-2022-1304) have various impacts and requirements. It is recommended to apply all available hotfixes.
Citrix has not mentioned any exploits of these vulnerabilities in the wild, but administrators are encouraged to review Citrix’s advisories and apply the necessary patches. The US cybersecurity agency CISA has also warned about the potential for attackers to exploit these vulnerabilities to gain control of affected systems.

Full Article