Double Zero-Day Threat: Emergency Patches for Citrix Netscaler

Citrix emphatically advises its users to promptly install patches on Netscaler ADC and Netscaler Gateway devices connected to the internet, to avert attacks associated with two newly exploited zero-day vulnerabilities.

These security flaws, designated as CVE-2023-6548 and CVE-2023-6549, impact the Netscaler management interface and render instances with outdated software susceptible to remote code execution and denial-of-service attacks, respectively.

For code execution, an attacker requires access to an account with minimal privileges, as well as NSIP, CLIP, or SNIP with access to the management interface. Devices configured as a gateway (virtual VPN server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server are vulnerable to denial-of-service attacks.

Citrix Endpoint Management Vulnerability

Citrix Systems Inc. / CC BY (https://creativecommons.org/licenses/by/3.0)

According to the company, only Netscaler devices managed by clients are susceptible to these vulnerabilities. Citrix’s cloud services and adaptive authentication, managed directly by Citrix, remain unaffected.

The list of NetScaler product versions vulnerable to these flaws includes:

  • NetScaler ADC and NetScaler Gateway from 14.1 to 14.1-12.35
  • NetScaler ADC and NetScaler Gateway from 13.1 to 13.1-51.15
  • NetScaler ADC and NetScaler Gateway from 13.0 to 13.0-92.21
  • NetScaler ADC 13.1-FIPS up to 13.1-37.176
  • NetScaler ADC 12.1-FIPS up to 12.1-55.302
  • NetScaler ADC 12.1-NDcPP up to 12.1-55.302

According to Shadowserver’s threat monitoring platform, approximately 1,500 Netscaler management interfaces are currently accessible from the internet.

In its recent security advisory, Citrix strongly urges administrators to immediately update their NetScaler devices to prevent potential attacks.

The company warns that exploitation of these vulnerabilities on devices without the relevant updates has already been observed, thus NetScaler ADC and NetScaler Gateway customers are recommended to install the corresponding updated versions as soon as possible.

Those still using NetScaler ADC and NetScaler Gateway software version 12.1, which has reached the end of its lifecycle, are also advised to transition to a version that continues to be supported.

Administrators who cannot immediately install the latest security updates should block network traffic to the affected instances and ensure they are not accessible from the internet. Citrix also recommends physically or logically separating network traffic to the device’s management interface from regular network traffic.

Moreover, the company advises against exposing the management interface to the internet in general. The absence of such access significantly reduces the risk of exploiting this issue.

Another critical Netscaler vulnerability, rectified in October and tracked as CVE-2023-4966 (later dubbed Citrix Bleed), was also exploited since August by various threat groups to infiltrate networks of government organizations and major technology companies globally, including Boeing.

The Health Sector Cybersecurity Coordination Center (HC3) has also issued an industry-wide warning, urging healthcare organizations to secure their NetScaler ADC and NetScaler Gateway instances against escalating ransomware attacks.