[CDP-development] TLP:GREEN (UPDATED Vulnerability Alert Notification) CVE-2023-4966 & CVE-2023-4967 in Citrix NetScaler ADC and Citrix NetScaler Gateway Appliances

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Thu Oct 19 11:52:44 PDT 2023 

Good morning,

The SOC Services team is reporting on the vulnerabilities: CVE-2023-4966 Sensitive Information Disclosure in Citrix NetScaler ADC and Citrix NetScaler Gateway and CVE-2023-4967 Denial of Service for Citrix NetScaler ADC and Citrix NetScaler Gateway.  Due to its high visibility, knowledge of the appliances in the state environment, and potential for exploitation, we are providing this in-depth information:

History: UPDATED INFORMATION BELOW: On October 10, 2023, Citrix released updates to patch their NetScaler ADC and NetScaler Gateway appliances, addressing two CVEs: CVE-2023-4966 is a Sensitive Information Disclosure vulnerability and is currently assigned a CVSSv3 rating of 9.4 (Critical); and CVE-2023-4967 is a Denial of Service vulnerability and is currently assigned a CVSSv3 rating of 8.2 (High).  The CVEs were established on October 10, 2023.

The following products are affected:

  *   NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  *   NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  *   NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  *   NetScaler ADC 13.1-FIPS before 13.1-37.164
  *   NetScaler ADC 12.1-FIPS before 12.1-55.300
  *   NetScaler ADC 12.1-NDcPP before 12.1-55.300

Patches are available from Citrix to fix the vulnerabilities.  The fixed versions are:

  *   NetScaler ADC and NetScaler Gateway 14.1-8.50  and later releases
  *   NetScaler ADC and NetScaler Gateway 13.1-49.15  and later releases of 13.1
  *   NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
  *   NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
  *   NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
  *   NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

Further information is available from Citrix as published in their Knowledge Center:

  *   Citrix Security Bulletin for CVE-2023-4966 and CVE-2023-4967 - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967


Intelligence: UPDATED: As of October 18, 2023, Citrix has confirmed CVE-2023-4966 as being exploited in the wild as early as August 2023.

Workarounds:  There are no workarounds at this time.

How it works:  CVE-2023-4966 is remotely exploitable without the need for high-level privileges, user interaction, or complex procedures.  Both CVEs are exploited by unauthenticated memory operations in the bounds of a memory buffer.  For both CVEs to be exploited, the NetScaler appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as a AAA virtual server.

Post-Exploit: UPDATED: Upon successful exploitation of CVE-2023-4966, an attacker could hijack existing authenticated sessions, therefore bypassing multifactor authentication or other strong authentication requirements. Organizations need to do more than just apply the patch, they should also terminate all active sessions. These authenticated sessions will persist after the update to mitigate CVE-2023-4966 has been deployed. Therefore, even after the patch is applied, a threat actor could use stolen session data to authenticate to resources until the sessions are terminated.

Upon successful exploitation of CVE-2023-4967, an attacker could create a denial of service on the vulnerable device, affecting availability of resources.

UPDATED: As of October 13, 2023, the following vulnerability plugin has been released and is currently in Tenable Security Center:
Plugin
Title
Severity
183026<https://www.tenable.com/plugins/nessus/183026>
NetScaler ADC and NetScaler Gateway Multiple Vulnerabilities (CTX579459)
High

Recommended Actions:


  *   Enable logging.
  *   Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
  *   Maintain good cyber hygiene and follow vendor patching recommendations.
  *   Terminate all active sessions.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DA027F.0E407B60]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231019/d0f9e6d0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231019/d0f9e6d0/attachment-0001.png>

More information about the CDP-development mailing list