Flame of 0day attacks engulfs Citrix: RCE and DoS threaten the security of NetScaler clients

Brother

Professional
Messages
2,590
Reaction score
516
Points
83
Update today or continue to risk your data – the choice is up to users.

Citrix strongly recommends that users immediately install patches on Netscaler ADC and Netscaler Gateway devices connected to the Internet to prevent attacks related to two new actively exploited zero-day vulnerabilities.

These security flaws, identified as CVE-2023-6548 and CVE-2023-6549, affect the Netscaler management interface and make legacy software instances vulnerable to remote code execution and denial-of-service attacks, respectively.

To execute the code, attackers need access to a low-privilege account, as well as NSIP, CLIP, or SNIP with access to the management interface. Devices must be configured as a gateway (virtual VPN Server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server to be vulnerable to denial of service attacks.

According to the company, only client-managed Netscaler devices are affected by these vulnerabilities. Citrix cloud services and adaptive authentication managed by Citrix itself are not affected.

The list of NetScaler product versions affected by these vulnerabilities includes:
  • NetScaler ADC and NetScaler Gateway from 14.1 to 14.1-12.35
  • NetScaler ADC and NetScaler Gateway from 13.1 to 13.1-51.15
  • NetScaler ADC and NetScaler Gateway from 13.0 to 13.0-92.21
  • NetScaler ADC 13.1-FIPS up to 13.1-37.176
  • NetScaler ADC 12.1-FIPS up to 12.1-55.302
  • NetScaler ADC 12.1-NDcPP up to 12.1-55.302

According to the Shadowserver threat monitoring platform, about 1,500 Netscaler management interfaces are now accessible from the Internet.

In its recent security advisory, Citrix urges administrators to update their NetScaler devices immediately to prevent potential attacks.

The company warns that the exploitation of these vulnerabilities on devices without corresponding updates has already been observed, and therefore NetScaler ADC and NetScaler Gateway customers are recommended to install the corresponding updated versions as soon as possible.

Those who still use NetScaler ADC and NetScaler Gateway software version 12.1, which has completed its lifecycle, are also advised to upgrade to a version that is still supported.

Administrators who cannot immediately install the latest security updates should block network traffic to the affected instances and ensure that they are not accessible from the Internet. Citrix also recommends that you physically or logically separate network traffic to the device's management interface from normal network traffic.

In addition, the company advises in principle not to expose the management interface to the Internet. The lack of such access significantly reduces the risk of exploiting this problem.

Another critical Netscaler vulnerability, patched in October and tracked as CVE-2023-4966 (later called Citrix Bleed), has also been exploited since August by various threat groups to hack the networks of government organizations and major technology companies around the world, such as Boeing.

The Health Sector Cybersecurity Coordination Center (HC3) has also issued an industry-wide warning , urging health organizations to protect their NetScaler ADC and NetScaler Gateway instances from escalating ransomware attacks.
 
Top