Systems Engineering is aware of the vulnerabilities recently found in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Exploits on unmitigated appliances have been observed.
Citrix rates these vulnerabilities as HIGH
Description
Citrix has released a security bulletin addressing two (2) vulnerabilities: CVE-2023-6548, and CVE-2023-6549. These vulnerabilities could potentially allow an attacker to gain unauthorized access to sensitive information or execute arbitrary code on affected systems.
- CVE-2023-6548 is a remote code execution (RCE) vulnerability in the NetScaler ADC and Gateway appliances. An authenticated attacker with low-level privileges could exploit this vulnerability if they can access NetScaler IP (NSIP), Subnet IP (SNIP), or cluster management IP (CLIP) with access to the appliance’s management interface.
- CVE-2023-6549 is a denial of service (DoS) vulnerability in the NetScaler ADC and Gateway appliances. An attacker could exploit this vulnerability when a vulnerable appliance has been configured as a Gateway (e.g. VPN, ICA Proxy, CVPN, RDP Proxy) or as a AAA virtual server.
Scope
The following supported versions of NetScaler are impacted:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
- NetScaler ADC 13.1-FIPS before 13.1-37.176
- NetScaler ADC 12.1-FIPS before 12.1-55.302
- NetScaler ADC 12.1-NDcPP before 12.1-55.302
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.
Course of Action
Systems Engineering is proactively patching clients subscribed to SE Platform and NetAdmin services, that have NetScaler's in their compute environment. Due to the zero-day nature of the vulnerability, the work involved in patching is not covered under service contracts.
For all other clients, we strongly recommend you update impacted systems with the latest security patches as soon as possible. Citrix has provided instructions in their security advisory here.
If you are a Systems Engineering client and have questions about this Security Alert, please contact your Account Manager.
