Citrix has urged customers of NetScaler ADC and NetScaler Gateway to install updated versions of the networking products to prevent active exploitation of vulnerabilities that could lead to information disclosure and DoS attacks.\n\nNetScaler ADC (Application Delivery Controller) and NetScaler Gateway were designed to enhance the performance, security, and availability of applications and services within networks. Citrix first announced the product vulnerabilities \u2014 designated CVE-2023-4966 and CVE-2023-4967 \u2014 on October 10, describing them as \u201cunauthenticated buffer-related\u201d bugs.\n\nCVE-2023-4966, a high-severity, critical information disclosure vulnerability, has been assigned a 9.4 CVSS score. AssetNote, a cybersecurity company specialized in identifying and managing security risks in web applications and online assets, published a proof of concept (POC) exploit for the vulnerability, called Citrix Bleed, on GitHub. The company is also offering tests for customers to check on their exposure to the vulnerability.\n\nIn an advisory, Citrix said that \u201cexploits of CVE-2023-4966 on unmitigated appliances have been observed. Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible.\u201d \n\nActive exploits for CVE-2023-4967, which would allow attackers to launch DoS attacks, have not been as widely observed. It has been assigned a 8.2 CVSS score.\n\nCitrix recommends immediate patching\n\nIn the most recent update on the vulnerabilities, Citrix has recommended installing updated versions of the affected devices. Multiple versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities, and are listed by Citrix in its latest security bulletin.\n\n\u201cNetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL),\u201d added Citrix in the bulletin. \u201cCustomers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.\u201d\n\nTechnical details on CVE-2023-4966 have been offered by AssetNote. The cybersecurity firm performed patch-diffing, a differential analysis that compares patched and unpatched versions of a product, on NetScaler versions 13.1-49.15 (patched) and 13.1-48.47 (unpatched), to determine the vulnerable functions.\n\nThe diffing process involved looking into the \/NetScaler\/nsppe binary. \u201cThis is the NetScaler Packet Processing Engine and it contains a full TCP\/IP network stack as well as multiple HTTP services,\u201d said AssetNote in a blog post. \u201cIf there is a vulnerability in NetScaler, this is where we look first.\u201d\n\nAssetNote discovered two vulnerable functions: ns_aaa_oauth_send_openid_config, and ns_aaa_oauthrp_send_openid_config. Patches for these functions, which allow unauthenticated access, were accomplished with the same logic.\n\nApart from updating to the fixed versions, Citrix recommends killing all active and persistent sessions through a string of commands including: kill icaconnection -all; kill rdp connection -all; kill pcoipConnection -all; kill aaa session -all; and clear lb persistentSessions.\n\nHowever, it also noted that "Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action."