Dive Brief:
- Citrix is warning that two zero-day vulnerabilities in customer-managed Netscaler Application Delivery Controller and Netscaler Gateway devices are under active exploit in a limited number of cases.
- The vulnerabilities are tracked as CVE-2023-6548, which could lead to remote-code execution, and CVE-2023-6549, which could lead to a denial of service attack. The vulnerabilities come more than three months after the initial patch was released for CitrixBleed, but the new zero days are unrelated to that vulnerability, which is tracked as CVE-2023-4966.
- The RCE vulnerability, which has a CVSS score of 5.5, was reported by a customer, while the denial of service vulnerability has a CVSS score of 8.2, and was discovered internally and later reported by a customer.
Dive Insight:
The new zero days mark another headache for Citrix, which is still navigating the fallout from the CitrixBleed vulnerability. Already, it has seen widespread exploitation of companies across the U.S. and overseas.
CitrixBleed ensnared major organizations, from Boeing to Comcast’s Xfinity broadband entertainment unit and the Industrial and Commercial Bank of China, as criminal ransomware groups and state-linked actors leveraged it to launch malicious attacks.
Citrix said the new vulnerabilities are not related to CitrixBleed and researchers consider the newly disclosed zero days to be far less severe. The company however is urging customers to take immediate action.
“Successful exploitation could lead to remote-code execution in the management console or denial of service,” Citrix officials said in a statement. “Netscaler recommends customers apply the fixes quickly before the exploitation becomes widespread.”
The Cybersecurity and Infrastructure Security Agency added the two vulnerabilities to its Known Exploited Vulnerabilities catalog.
No proof of concept has been identified, but researchers at Tenable warn such a development could happen soon and lead to a rapid acceleration of threat activity.
The researchers also warned that an attacker could easily exploit the RCE vulnerability with low-level privileges if they can access NetScaler IP, Subnet IP or cluster management IP with access to the appliance’s management interface. Citrix notes the management interface should not be exposed to the public internet, and instead kept on a private network.
An attacker can exploit the DoS vulnerability when a vulnerable appliance has been configured as a gateway or an AAA virtual server.