NetScaler is a line of networking products owned by Cloud Software Group. The product suite includes NetScaler, an application delivery controller (ADC), and NetScaler Unified Gateway. NetScaler was acquired by Citrix Systems in 2005. Citrix consolidated all of its networking products under the NetScaler brand in 2016. On September 30, 2022, when Citrix was taken private as part of the merger with TIBCO Software, NetScaler was formed as a business unit under the Cloud Software Group.
The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Certain languages allow direct addressing of memory locations and do not automatically ensure that these locations are valid for the memory buffer that is being referenced. This can cause read or write operations to be performed on memory locations that may be associated with other variables, data structures, or internal program data.
When configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtualserver, an unauthenticated attacker could exploit the device in order to hijack an existing authenticated session. Depending on the permissions of the account they have hijacked, this could allow the attacker to gain additional access within a target environment and collect other account credentials. Successful exploitation allows the attacker to bypass multifactor authentication (MFA) requirements.
NOTE: This CVE was added to the CISA Known Exploited Vulnerabilities Catalog on 2023-10-18, indicating that it is currently being actively exploited “in the wild” and at scale, by attackers. Remediation of the vulnerability should therefore be a critical priority in impacted environments. The vulnerability has been exploited by attackers in the wild since late August 2023, researchers have revealed. They exploited CVE-2023-4966 to hijack existing authenticated sessions, which means that they were able to effectively bypass multifactor (or any kind of) authentication requirements.
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
The following platforms are known to be affected:
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable. Only appliances configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server are vulnerable.
Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible. Fixed versions are:
* NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
* NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
* NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
* NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
* NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
* NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
NOTE: Just updating or restricting access to vulnerable devices is not enough: enterprise defenders should also check whether their appliances have been compromised by the attackers.
After the patch has been applied, admins should stop all active sessions, rotate credentials, and – if web shells or backdoors are found – rebuild appliances with a clean-source image. See exact guidance at [[https://services.google.com/fh/files/misc/citrix-netscaler-adc-gateway-cve-2023-4966-remediation.pdf]].
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
If a quick upgrade is impossible, Mandiant suggests limiting access to the devices only to trusted IP address ranges.
NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.
Category: Buffer Overflow
AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380