New critical Citrix NetScaler flaw exposes 'sensitive' data

Citrix NetScaler ADC and NetScaler Gateway are impacted by a critical severity flaw that allows the disclosure of sensitive information from vulnerable appliances.

The flaw is tracked as CVE-2023-4966 and has received a CVSS rating of 9.4, being remotely exploitable without requiring high privileges, user interaction, or high complexity.

However, there's the prerequisite of the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server for it to be vulnerable to attacks.

While the flaw's exploitation can lead to "sensitive information disclosure," the vendor has not provided any details about what information is exposed. 

A second vulnerability disclosed in the same bulletin is CVE-2023-4967, a high-severity (CVSS score: 8.2) flaw carrying the same prerequisites, which can potentially cause denial of service (DoS) on vulnerable devices.

The affected versions of Citrix products are:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300

The recommended action is to upgrade to a fixed version that implements security updates addressing the two flaws. Citrix has provided no mitigation tips or workarounds this time.

"Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible," reads Citrix's security bulletin.

The target versions to upgrade to are:

• NetScaler ADC and NetScaler Gateway 14.1-8.50 and later
• NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
• NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0 
• NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS 
• NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS 
• NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP 

It is noted that version 12.1 has reached its end of life (EOL) date and will no longer be supported by Citrix. Hence, users are recommended to upgrade to a newer, actively supported release.

Critical-severity flaws in Citrix products are highly sought-after by hackers, as large organizations with valuable assets use these devices.

A recent example of such exploitation is CVE-2023-3519, a critical remote code execution flaw Citrix fixed as a zero-day in July 2023.

This flaw is currently under active exploitation by numerous cybercriminals who leverage the available exploits for planting backdoors and stealing credentials.