SECURITY ALERT: Citrix ADC and Citrix Gateway Vulnerabilities

Systems Engineering is aware of the vulnerabilities recently found in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Exploits on unmitigated appliances have been observed. 

Citrix rates these vulnerabilities as CRITICAL

Description

Citrix has released a security bulletin addressing three (3) vulnerabilities: CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467. These vulnerabilities could potentially allow an attacker to gain unauthorized access to sensitive information or execute arbitrary code on affected systems.

• CVE-2023-3519
  • This vulnerability is related to improper input validation in Citrix ADC and Citrix Gateway. 
• CVE-2023-3466 and CVE-2023-3467
  • These vulnerabilities involve improper handling of certain requests by Citrix ADC and Citrix Gateway. 

Scope

The following supported versions of NetScaler are impacted: 

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

Course of Action

Citrix has released patches to address these vulnerabilities. For clients with Network Administration and SE Essentials services, we are presently working to patch affected versions of NetScaler.

For all other clients, we strongly recommend you update impacted systems with the latest security patches as soon as possible. Citrix has provided instructions in their security advisory here.

If you are a Systems Engineering client and have questions about this Security Alert, please contact your Account Manager.