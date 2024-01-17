Citrix has warned its NetScaler ADC and NetScaler Gateway customers against two critical zero-day vulnerabilities that have active exploitations in the wild.\n\nTracked as CVE-2023-6548 and CVE-2023-6549, the vulnerabilities allow miscreants to perform remote code execution (RCE) and denial-of-service (DoS) attacks on the affected devices.\n\n\u201cThe vulnerabilities only apply to customer-managed NetScaler ADC and NetScaler Gateway products,\u201d Citrix said in a security advisory. \u201cCustomers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.\u201d\n\nNetScaler Application Delivery Controller (ADC) and NetScaler Gateway are network solution appliances, designed to support the performance, security, and availability of applications and services within enterprise networks.\n\nFlaws need pre-requisites for infection\n\nThe RCE enabling flaw (CVE-2023-6548) found in the appliances only impacts the management interface, according to Citrix. The bug can therefore be mitigated by performing a simple network segregation.\n\n\u201cCloud Software Group strongly recommends that network traffic to the appliance\u2019s management interface is separated, either physically or logically, from normal network traffic,\u201d Citrix said. \u201cIn addition, we recommend that you do not expose the management interface to the internet, as explained in the secure deployment guide.\u201d\n\nThe advisory lists having prior access to NetScaler IP (NSIP), Cluster IP (CLIP), or Subnet IP (SNIP) with management interface access as a prerequisite for the exploitation of CVE-2023-6548. The vulnerability carries a common vulnerability scoring system (CVSS) score of 5.5, making it a flaw with \u201cmedium\u201d criticality.\n\nCVE-2023-6549, with a CVSS score of 8.2, is a vulnerability with \u201chigh\u201d criticality and requires the appliances to be \u201cconfigured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy),\u201d according to the advisory.\n\nImpacted appliances run earlier versions\n\nThe affected appliances include the ones running outdated versions of the NetScaler ADC and NetScaler Gateway. Faulty versions include NetScaler ADC and NetScaler Gateway 13.0 (before 13.0-92.21), 13.1 (before 13.1-51.15), and 14.1(14.1-12.35).\n\nAdditionally, the Federal Information Processing Standard (FIPS) compliant versions including, NetScaler ADC FIPS 12.1 (before 12.1-55.302), and 13.1 (before 13.1-37.176) are also affected. NetScaler ADC 12.1-NDcPP before 12.1-55.302, compliant under Network Device Collaborative Protection Profile, are affected too.\n\n\u201cNetScaler ADC and NetScaler Gateway version 12.1 is now End of Life (EOL) and is vulnerable,\u201d Citrix added.\n\nCitrix has recommended customers immediately update to the latest supported versions as they address these vulnerabilities. \u201cExploits of these CVEs on unmitigated appliances have been observed,\u201d Citrix said. \u201cCloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.\u201d Citrix\u00a0recently discovered\u00a0multiple high-severity vulnerabilities in the same product lines.