**CRITICAL RISK** CVE-2023-4966 Cloud Software Group (Citrix) NetScaler ADC and NetScaler Gateway – Unauthorised Access to Critical Data and Credentials due to Improper Restriction of Operations within the Bounds of a Memory Buffer

Background & Context

NetScaler is a line of networking products owned by Cloud Software Group. The product suite includes NetScaler, an application delivery controller (ADC), and NetScaler Unified Gateway. NetScaler was acquired by Citrix Systems in 2005. Citrix consolidated all of its networking products under the NetScaler brand in 2016. On September 30, 2022, when Citrix was taken private as part of the merger with TIBCO Software, NetScaler was formed as a business unit under the Cloud Software Group.


Vulnerability Summary

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. Certain languages allow direct addressing of memory locations and do not automatically ensure that these locations are valid for the memory buffer that is being referenced. This can cause read or write operations to be performed on memory locations that may be associated with other variables, data structures, or internal program data.


Impact If Exploited

When configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server, an unauthenticated attacker could exploit the device in order to hijack an existing authenticated session. Depending on the permissions of the account they have hijacked, this could allow the attacker to gain additional access within a target environment and collect other account credentials. Successful exploitation allows the attacker to bypass multifactor authentication (MFA) requirements.

NOTE: This CVE was added to the CISA Known Exploited Vulnerabilities Catalogue on 2023-10-18, indicating that it is currently being actively exploited “in the wild” and at scale, by attackers. Remediation of the vulnerability should therefore be a critical priority in impacted environments. The vulnerability has been exploited by attackers in the wild since late August 2023, researchers have revealed. They exploited CVE-2023-4966 to hijack existing authenticated sessions, which means that they were able to effectively bypass multifactor (or any kind of) authentication requirements.

Affected Product Versions

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

Affected platforms

The following platforms are known to be affected:

NetScaler ADC

  • 14.1 before 14.1-8.50
  • 13.1 before 13.1-49.15
  • 13.0 before 13.0-92.19
  • 13.1-FIPS before 13.1-37.164
  • 12.1-FIPS before 12.1-55.300
  • 12.1-NDcPP before 12.1-55.300

NetScaler Gateway

  • 14.1 before 14.1-8.50
  • 13.1 before 13.1-49.15
  • 13.0 before 13.0-92.19

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable. Only appliances configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server are vulnerable.



Official Fix & Remediation Guidance

Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible. Fixed versions are:

  • NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
  • NetScaler ADC and NetScaler Gateway  13.1-49.15 and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

NOTE: Just updating or restricting access to vulnerable devices is not enough: enterprise defenders should also check whether their appliances have been compromised by the attackers.

After the patch has been applied, admins should stop all active sessions, rotate credentials, and – if web shells or backdoors are found – rebuild appliances with a clean-source image. See exact guidance at https://services.google.com/fh/files/misc/citrix-netscaler-adc-gateway-cve-2023-4966-remediation.pdf.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

Temporary Mitigation & Workarounds

If a quick upgrade is impossible, Mandiant suggests limiting access to the devices only to trusted IP address ranges.

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.


Category: Buffer Overflow



AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.


About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses

Get in touch

Please enable JavaScript in your browser to complete this form.