Citrix Addresses High-Severity Flaw in NetScaler ADC and Gateway

The flaw was nearly identical to last year's CitrixBleed flaw, though not as severe.

3 Min Read
citrix strategic headquarters in santa clara, calif

This article originally appeared on Dark Reading.

Citrix appears to have quietly addressed a vulnerability in its NetScaler Application Delivery Control (ADC) and Gateway appliances that gave remote, unauthenticated attackers a way to obtain potentially sensitive information from the memory of affected systems.

The bug was nearly identical to — but not as serious as — "CitrixBleed" (CVE-2023-4966), a critical zero-day vulnerability in the same two technologies that Citrix disclosed last year, according to researchers at Bishop Fox, who discovered and reported the flaw to Citrix in January.

Like CitrixBleed, But Not as Serious

Attackers exploited CitrixBleed widely to deploy ransomware, steal information, and other malicious purposes. The Cybersecurity and Infrastructure Security Agency (CISA) was among many that urged affected organizations to quickly update their systems to patched versions of NetScaler, citing reports of widespread attacks that targeted the vulnerability. Boeing and Comcast Xfinity were among several major organizations that attackers targeted.

In contrast, the flaw that Bishop Fox discovered in January was less dangerous because attackers would have been less likely to retrieve any information of high value from a vulnerable system with it. Even so, the bug — in NetScaler version 13.1-50.23 — did leave the door open for an attacker to occasionally capture sensitive information, including HTTP request bodies from the process memory of affected appliances, Bishop Fox said.

Related:R Programming Bug Exposes Orgs to Vast Supply Chain Risk

The company also said Citrix acknowledged its vulnerability disclosure on Feb. 1. But Citrix did not assign the flaw a CVE identifier because it had already addressed the issue in NetScaler version 13.1-51.15, prior to disclosure, Bishop Fox said. It's not clear if Citrix privately disclosed the vulnerability to customers at any time, or if it even considered the issue that Bishop Fox raised as a vulnerability. Bishop Fox itself said there's been no public disclosure of the flaw until now.

Citrix did not respond immediately to a Dark Reading request for clarification on when, or if, the company disclosed the flaw prior to addressing it in version 13.1-51.15.

Out-of-Bounds Memory Issue

In a blog this week, Bishop Fox identified the vulnerability it discovered as an unauthenticated out-of-bounds memory issue, which basically amounts to bugs that allow an attacker to access memory locations beyond the intended boundaries of a program. Bishop Fox said its researchers exploited the vulnerability to capture sensitive information, including HTTP request bodies from an affected appliance's memory. The blog post read, "This could potentially allow attackers to obtain credentials submitted by users logging in to NetScaler ADC and Gateway appliances, or cryptographic material used by the appliance."

As with CitrixBleed, the flaw that Bishop Fox discovered affected NetScaler components when used for remote access and as authentication, authorization, and auditing (AAA) servers. Specifically, the security vendor found the Gateway and AAA virtual server to be handling HTTP host request headers in an unsafe manner, which was the same underlying cause for CitrixBleed. The company's proof-of-concept code demonstrated how a remote adversary could exploit the vulnerability to retrieve potentially useful information for an attack.

"Bishop Fox staff analyzed vulnerable Citrix deployments and observed instances where the disclosed memory contained data from HTTP requests, sometimes including POST request bodies," the company noted. Bishop Fox recommended that organizations running the affected NetScaler version upgrade to Version 13.1-51.15 or beyond.

Read more about:

Dark Reading

About the Author(s)

Jai Vijayan

Contributing writer, Dark Reading

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a senior editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics including big data, Hadoop, Internet of Things, e-voting and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a master's degree in statistics and lives in Naperville, Illinois.

Dark Reading

Long one of the most widely read cyber security news sites on the Web, Dark Reading, a sister site to ITPro Today, is now the most trusted online community for security professionals like you. Dark Reading's community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like