Citrix NetScaler ADC and Gateway vulnerabilities (CVE-2023-4966 and CVE-2023-4967)

Posted on 2023-10-12 by guenni

Sicherheit (Pexels, allgemeine Nutzung)[German]There are serious vulnerabilities in older products from Citrix, as the manufacturer announced in a security alert. Both the Citrix NetScaler ADC and the Citrix NetScaler Gateway are affected by the vulnerabilities CVE-2023-4966 and CVE-2023-4967. An update is urgently recommended, meanwhile the download is probably also possible.

Advertising

Short addendum for administrators Citrix NetScaler ADC and NetScaler Gateway, patching is required. Several readers have pointed out vulnerabilities in these products in comments and mails (thanks for that).

Citrix security warning

Citrix has issued security alert CTX579459 (NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967) as of October 10, 2023. Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). NetScaler ADC and NetScaler Gateway contain the following unauthenticated buffer vulnerabilities:

  • CVE-2023-4966: Sensitive information disclosure vulnerability; CVSS Index 9,4;
  • CVE-2023-4967: Denial of service vulnerability; CVSS Index 8,2;

In both cases, the appliance must be configured to be exploited as a Gateway (Virtual VPN Server, ICA Proxy, CVPN, RDP Proxy) or Virtual AAA Server. The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Only customer-managed NetScaler ADC and NetScaler Gateway products are affected. Customers using Citrix managed cloud services or Citrix managed Adaptive Authentication do not need to take any action.

Affected customers are encouraged to install appropriate updated versions of NetScaler ADC and NetScaler Gateway as soon as possible:

Advertising
  • NetScaler ADC and NetScaler Gateway 14.1-8.50 and later versions
  • NetScaler ADC and NetScaler Gateway 13.1-49.15 and later versions of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later versions of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and later versions of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.300 and later versions of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later versions of 12.1-NDcPP

EA download should now be possible. A reader pointed out that downloading the patch was not possible for 7-8 hours, which was also discussed on reddit.com.

Citrix notes that NetScaler ADC and NetScaler Gateway version 12.1 are now end-of-life (EOL). Customers are advised to upgrade their appliances to one of the supported versions.

Advertising
This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).