{ "file_item": { "filepath": "security-advisories", "filename": "CERT-EU-SA2024-010.pdf" }, "title": "Vulnerabilities in Netscaler ADS and Netscaler Gateway", "serial_number": "2024-010", "publish_date": "18-07-2024 08:08:03", "description": "On January 16, 2024, Citrix released a security advisory addressing two vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway, specifically \"CVE-2023-6548\" and \"CVE-2023-6549\". These vulnerabilities have been actively exploited and require urgent patching.
\n[New] On July 17, The NHS England National Cyber Security Operations Centre announced that new intelligence provided by CrowdStrike indicates that contrary to Citrix\u2019s initial disclosure, the vulnerability \"CVE-2023-6548\" does not require user privileges for exploitation.
\n", "url_title": "2024-010", "content_markdown": "---\ntitle: 'Vulnerabilities in\u00a0Netscaler\u00a0ADS and\u00a0Netscaler\u00a0Gateway'\nnumber: '2024-010'\nversion: '1.1'\noriginal_date: 'January 16, 2024'\ndate: 'July 18, 2024'\n---\n\n_History:_\n\n* _17/01/2024 --- v1.0 -- Initial publication_\n* _18/07/2024 --- v1.1 -- Initial publication_\n\n\n# Summary\n\nOn January 16, 2024, Citrix released a security advisory addressing two vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway, specifically `CVE-2023-6548` and `CVE-2023-6549`. These vulnerabilities have been actively exploited and require urgent patching [1, 2].\n\n**[New]** On July 17, The NHS England National Cyber Security Operations Centre announced that new intelligence provided by CrowdStrike indicates that contrary to Citrix\u2019s initial disclosure, the vulnerability `CVE-2023-6548` does not require user privileges for exploitation [3].\n\n# Technical Details\n\n**[Updated]** The vulnerability `CVE-2023-6548`, with a CVSS score of 8.8, is an Unauthenticated Remote Code Execution (RCE) vulnerability in the NetScaler ADC and Gateway appliances. It can be exploited by an unauthenticated attacker with access to the appliance\u2019s management interface.\n\nThe vulnerability `CVE-2023-6549`, with a CVSS score of 8.2, is a Denial of Service (DoS) vulnerability in the same appliances. It can be exploited when a vulnerable appliance has been configured as a Gateway (i.e., VPN, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server.\n\n# Affected Products\n\nThe vulnerabilities affect:\n\n- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21;\n- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15;\n- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35;\n- NetScaler ADC 12.1-NDcPP before 12.1-55.302;\n- NetScaler ADC 12.1-FIPS before 12.1-55.302;\n- NetScaler ADC 13.1-FIPS before 13.1-37.176.\n\n\n# Recommendations\n\nCERT-EU strongly recommends installing the releases patches for these vulnerabilities. Moreover, the vulnerability `CVE-2023-6548` only impacts the management interface, and, as recommended in the secure deployment guide of Citrix, this interface should not be exposed to the internet. \n\n# References\n\n[1] \n\n[2] \n\n[3] ", "content_html": "

History:

  • 17/01/2024 --- v1.0 -- Initial publication
  • 18/07/2024 --- v1.1 -- Initial publication

Summary

On January 16, 2024, Citrix released a security advisory addressing two vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway, specifically CVE-2023-6548 and CVE-2023-6549. These vulnerabilities have been actively exploited and require urgent patching [1, 2].

[New] On July 17, The NHS England National Cyber Security Operations Centre announced that new intelligence provided by CrowdStrike indicates that contrary to Citrix\u2019s initial disclosure, the vulnerability CVE-2023-6548 does not require user privileges for exploitation [3].

Technical Details

[Updated] The vulnerability CVE-2023-6548, with a CVSS score of 8.8, is an Unauthenticated Remote Code Execution (RCE) vulnerability in the NetScaler ADC and Gateway appliances. It can be exploited by an unauthenticated attacker with access to the appliance\u2019s management interface.

The vulnerability CVE-2023-6549, with a CVSS score of 8.2, is a Denial of Service (DoS) vulnerability in the same appliances. It can be exploited when a vulnerable appliance has been configured as a Gateway (i.e., VPN, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server.

Affected Products

The vulnerabilities affect:

  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21;
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15;
  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35;
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302;
  • NetScaler ADC 12.1-FIPS before 12.1-55.302;
  • NetScaler ADC 13.1-FIPS before 13.1-37.176.

Recommendations

CERT-EU strongly recommends installing the releases patches for these vulnerabilities. Moreover, the vulnerability CVE-2023-6548 only impacts the management interface, and, as recommended in the secure deployment guide of Citrix, this interface should not be exposed to the internet.

References

[1] https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549

[2] https://www.bleepingcomputer.com/news/security/citrix-warns-of-new-netscaler-zero-days-exploited-in-attacks/

[3] https://digital.nhs.uk/cyber-alerts/2024/cc-4525

", "licence": { "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)", "link": "https://creativecommons.org/licenses/by/4.0/", "restrictions": "https://cert.europa.eu/legal-notice", "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies" } }