[CDP-development] TLP:GREEN (Vulnerability Alert Notification) CVE-2023-4966 & CVE-2023-4967 in Citrix NetScaler ADC and Citrix NetScaler Gateway Appliances

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Tue Oct 10 11:49:46 PDT 2023 

Good morning,

The SOC Services team is reporting on the vulnerabilities: CVE-2023-4966 Sensitive Information Disclosure in Citrix NetScaler ADC and Citrix NetScaler Gateway and CVE-2023-4967 Denial of Service for Citrix NetScaler ADC and Citrix NetScaler Gateway.  Due to its high visibility, knowledge of the appliances in the state environment, and potential for exploitation, we are providing this in-depth information:

History: On October 10, 2023, Citrix released updates to patch their NetScaler ADC and NetScaler Gateway appliances, addressing two CVEs: CVE-2023-4966 is a Sensitive Information Disclosure vulnerability and is currently assigned a CVSSv3 rating of 9.4 (Critical); and CVE-2023-4967 is a Denial of Service vulnerability and is currently assigned a CVSSv3 rating of 8.2 (High).  The CVEs were established on October 10, 2023.

The following products are affected:

  *   NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  *   NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  *   NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  *   NetScaler ADC 13.1-FIPS before 13.1-37.164
  *   NetScaler ADC 12.1-FIPS before 12.1-55.300
  *   NetScaler ADC 12.1-NDcPP before 12.1-55.300

Patches are available from Citrix to fix the vulnerabilities.  The fixed versions are:

  *   NetScaler ADC and NetScaler Gateway 14.1-8.50  and later releases
  *   NetScaler ADC and NetScaler Gateway 13.1-49.15  and later releases of 13.1
  *   NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
  *   NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
  *   NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
  *   NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Further information is available from Citrix as published in their Knowledge Center:

  *   Citrix Security Bulletin for CVE-2023-4966 and CVE-2023-4967 - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967


Intelligence: As of October 10, 2023, Citrix is unaware of either CVE being exploited.  However, given that the appliances have recently been targets of other exploitable CVEs, and that CVE-2023-4966 has the capability of being remotely exploitable, It is very likely that these vulnerabilities will be leveraged by threat actors over the coming months.

Workarounds:  There are no workarounds at this time.

How it works:  CVE-2023-4966 is remotely exploitable without the need for high-level privileges, user interaction, or complex procedures.  Both CVEs are exploited by unauthenticated memory operations in the bounds of a memory buffer.  For both CVEs to be exploited, the NetScaler appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as a AAA virtual server.

Post-Exploit: Upon successful exploitation of CVE-2023-4966, an attacker could obtain sensitive information.  Citrix has not yet provided details as to what specific information may be disclosed.

Upon successful exploitation of CVE-2023-4967, an attacker could create a denial of service on the vulnerable device, affecting availability of resources.

No known indicators of compromise have been publicly shared at this time.

As of October 10, 2023 Tenable has not yet released plugins for either vulnerability, nor are any currently in development in the plugin pipeline.
Recommended Actions:


  *   Enable logging
  *   Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
  *   Maintain good cyber hygiene and follow vendor patching recommendations.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01D9F1DD.F2FA0BC0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231010/ccbc6b23/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231010/ccbc6b23/attachment-0001.png>

More information about the CDP-development mailing list