Citrix urges immediate patching of critically vulnerable product lines

Citrix has urged customers of NetScaler ADC and NetScaler Gateway to install updated versions of the networking products to prevent active exploitation of vulnerabilities that could lead to information disclosure and DoS attacks.

NetScaler ADC (Application Delivery Controller) and NetScaler Gateway were designed to enhance the performance, security, and availability of applications and services within networks. Citrix first announced the product vulnerabilities — designated CVE-2023-4966 and CVE-2023-4967 — on October 10, describing them as “unauthenticated buffer-related” bugs.

CVE-2023-4966, a high-severity, critical information disclosure vulnerability, has been assigned a 9.4 CVSS score. AssetNote, a cybersecurity company specialized in identifying and managing security risks in web applications and online assets, published a proof of concept (POC) exploit for the vulnerability, called Citrix Bleed, on GitHub. The company is also offering tests for customers to check on their exposure to the vulnerability.

In an advisory, Citrix said that “exploits of CVE-2023-4966 on unmitigated appliances have been observed. Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible.”

Active exploits for CVE-2023-4967, which would allow attackers to launch DoS attacks, have not been as widely observed. It has been assigned a 8.2 CVSS score.

In the most recent update on the vulnerabilities, Citrix has recommended installing updated versions of the affected devices. Multiple versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities, and are listed by Citrix in its latest security bulletin.