[CDP-development] TLP:GREEN (Zero-Day Alert Notification) - CVE-2023-6548 & CVE-2023-6549: Citrix NetScaler ADC & NetScaler Gateway Code Injection & Buffer Overflow Vulnerabilities

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Wed Jan 17 11:16:26 PST 2024 

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2023-6548 & CVE-2023-6549: Citrix NetScaler ADC & NetScaler Gateway Code Injection & Buffer Overflow Vulnerabilities. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On January 17, 2024, CISA added CVE-2023-6548 (CVSS 5.5) & CVE-2023-6549 (CVSS 8.2): Citrix NetScaler ADC & NetScaler Gateway Code Injection & Buffer Overflow Vulnerabilities to the Known Exploited Vulnerabilities Catalog. On January 16, 2024, Citrix released a security bulletin urging customers to update.

Citrix had the following to say about the affected products, “This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.”.

The following products are affected:

  *   NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  *   NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  *   NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  *   NetScaler ADC 13.1-FIPS before 13.1-37.176
  *   NetScaler ADC 12.1-FIPS before 12.1-55.302
  *   NetScaler ADC 12.1-NDcPP before 12.1-55.302
  *   NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

Fixed versions:

  *   NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
  *   NetScaler ADC and NetScaler Gateway  13.1-51.15 and later releases of 13.1
  *   NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0 
  *   NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS 
  *   NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS 
  *   NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP

The security bulletin related to these vulnerabilities by Citrix can be found here: https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549

Intelligence: As of January 17, 2024, the vulnerabilities have been confirmed as being exploited in the wild.

Workarounds: There are no workarounds at this time.

How it works: These vulnerabilities require attackers to be logged in to low-privilege accounts on the targeted instance and need access to NSIP, CLIP, or SNIP with management interface access. Appliances would also have to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

Post-Exploit: Upon successful exploitation of the vulnerability, a threat actor could inject code (CVE-2023-6548) or execute denial of service attacks (CVE-2023-6549).

As of January 17, 2024, the following vulnerability plugin has been released and is currently in Tenable Security Center:
Plugin
Title
Severity
189070<https://www.tenable.com/plugins/nessus/189070>
NetScaler ADC and NetScaler Gateway Multiple Vulnerabilities (CTX584986l)
High

Recommended Actions:


  *   If possible implement the mitigating factors in the Citrix bulletin.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01DA4931.4F4D44A0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
“Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians.”


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240117/abd58cf8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240117/abd58cf8/attachment-0001.png>

More information about the CDP-development mailing list