Two vulnerabilities in NetScaler's ADC and Gateway products have been fixed - but not before criminals found and exploited them, according to the vendor.
CVE-2023-6548 could allow remote code execution in the appliances' management interface.
It received a 5.5 CVSS rating, which is low for an RCE bug.
One reason for this may be because it does require the attacker to be authenticated, albeit with low-level privileges, and they must have access to NetScaler IP, Subnet IP, or cluster management IP with management interface access.
This vulnerability cannot be exploited if the management console and related tech is not configured with exposure to the public internet, and NetScaler's configuration instructions recommend that it only be configured on a private network.
TLDR: If you followed Citrix's instructions, your appliances should be safe.
The second bug, tracked as CVE-2023-6549, could allow a denial-of-service attack, and earned an 8.2 CVSS rating.
The flaws only affected customer-managed NetScaler ADC and NetScaler Gateway, so customers using Netscaler-managed services don't have to worry about any of this.
Citrix/Netscaler history Citrix acquired Netscaler in 2005 and retained the Netscaler name for its products.
Once Citrix merged with Tibco in 2022, Netscaler became one of the brands operated by the Cloud Software Group, which reconstituted it as a standalone business.
Netscaler's security and support ops remain entangled with that of Citrix, which probably explains why flaws in Netscaler products are named for Citrix and technical docs about Netscaler products appear at Citrix.com.
The US Cybersecurity and Infrastructure Security Agency has already added the two vulnerabilities to its Known Exploited Vulnerabilities Catalog.
While all of this feels very Citrix-Bleed-esque, the vendor assures us that these new bugs under attack are not related to that zero-day.
Citrix Bleed, of course, is the critical information-disclosure bug that also affects NetScaler ADC and NetScaler Gateway.
It was disclosed in October and abused to infect victims with ransomware and steal, among a ton of other data, millions of Comcast Xfinity subscribers' personal info.
Unlike Citrix Bleed, the latest security flaws don't allow for data exfiltration, which makes them not quite as appealing to would-be digital thieves and ransomware crews.
A couple of Tenable security research engineers weighed in on the vulnerabilities.
This Cyber News was published on go.theregister.com. Publication date: Thu, 18 Jan 2024 15:43:04 +0000