Citrix has released a security bulletin (CTX693420) disclosing two high-severity vulnerabilities affecting NetScaler ADC and NetScaler Gateway appliances. Depending on the deployment configuration, these vulnerabilities could allow attackers to bypass management access controls or perform memory over-reads.
Citrix rates these vulnerabilities as CRITICAL.
While Citrix has not confirmed active exploitation in the wild, these flaws are considered critical in environments where the affected systems are exposed to the internet or lack proper segmentation.
DESCRIPTION
The two vulnerabilities disclosed impact NetScaler ADC and NetScaler Gateway as follows:
- CVE20255349: A flaw in access control enforcement on the management interface could allow unauthorized users with network access to NSIP, CLIP, or GSLB IP addresses to bypass expected restrictions.
- CVE20255777
An input validation weakness on the Gateway interface may allow an unauthenticated attacker to perform memory over-reads by sending specially crafted requests to VPN, ICA Proxy, or AAA virtual servers.
Both vulnerabilities present significant risk depending on how the NetScaler instance is deployed and whether interfaces are exposed externally or accessible within internal networks.
SCOPE
The following supported versions are affected:
- NetScaler ADC and Gateway
- Versions before 14.1‑43.56
- Versions before 13.1‑58.32
- NetScaler ADC 13.1-FIPS
- Versions before 13.1‑37.235-FIPS
- NetScaler ADC 12.1-FIPS
- Versions before 12.1‑55.328-FIPS
- NetScaler ADC 13.1-NDcPP
- Versions before 13.1‑37.235-NDcPP
Note: Builds 12.1 and 13.0 are End of Life and will not receive security updates. Organizations running these versions should plan for an immediate upgrade.
COURSE OF ACTION
Due to the severe risk posed by these vulnerabilities, Systems Engineering is proactively patching clients subscribed to the SE Platform and NetAdmin with NetScalers in their compute environments.
For all other clients, we strongly recommend you update your impacted systems with the latest security patches as soon as possible. Citrix has provided instructions in their security advisory here.
If you are a Systems Engineering client and have questions about this Security Alert, please contact your Account Manager.
