Citrix has issued a warning to users of NetScaler Gateway and ADC products over a series of new vulnerabilities.
In a security bulletin, the firm disclosed three new vulnerabilities, including one believed to have been actively exploited in the wild.
This included CVE-2023-3466, a reflected cross-site scripting (XSS) vulnerability, and CVE-2023-3467, which would enable escalation of privilege to root administrator, the firm revealed in its update.
The most severe of the three - identified as CVE-2023-3519 - would allow for unauthenticated remote code execution on affected Gateway appliances.
Analysis of the flaw from Rapid7 found that this vulnerability is “known to be exploited in the wild” and urged users to patch immediately.
RELATED RESOURCE
Three steps to transforming security operations
Read how to be more agile, effective, collaborative, and scalable
“This product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly,” researchers said.
“Rapid7 strongly recommends updating to a fixed version on an emergency basis, without waiting for a typical patch cycle to occur. See the Citrix advisory for more information.”
Security firm Tenable also analyzed the most severe flaw, which was given a severity score of 9.8 on the CVSSv3 scale, adding that although exploits have been observed, there is currently no known proof of concept code circulating in the wild.
Affected products
In its advisory, Citrix confirmed several versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities. These include:
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-65.36
- NetScaler ADC 12.1-NDcPP before 12.65.36
The advisory added that NetScaler ADC and NetScaler Gateway version 12.1 is now end-of-life (EOL) and thus vulnerable to the recently-disclosed flaws.
Customers currently using an EOL version have been advised to upgrade devices to the latest software versions with the patches applied.
These include:
- NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
- NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP
Customers and channel partners have been notified about the ongoing security risks, and will continue to receive updates via Citrix’s security bulletins.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
