July 14, 2024
Citrix Addresses Excessive-Severity NetScaler Servers Flaw

Citrix seems to have quietly addressed a vulnerability in its NetScaler Software Supply Management (ADC) and Gateway home equipment that gave distant, unauthenticated attackers a approach to get hold of doubtlessly delicate data from the reminiscence of affected programs.

The bug was practically equivalent to — however not as critical as — “CitrixBleed” (CVE-2023-4966), a vital zero-day vulnerability in the identical two applied sciences that Citrix disclosed final yr, in keeping with researchers at Bishop Fox, who found and reported the flaw to Citrix in January.

Like CitrixBleed, However Not as Critical

Attackers exploited CitrixBleed broadly to deploy ransomware, steal data, and different malicious functions. The Cybersecurity and Infrastructure Security Agency (CISA) was amongst many who urged affected organizations to shortly replace their programs to patched variations of NetScaler, citing stories of widespread assaults that focused the vulnerability. Boeing and Comcast Xfinity had been amongst a number of main organizations that attackers focused.

In distinction, the flaw that Bishop Fox discovered in January was much less harmful as a result of attackers would have been much less prone to retrieve any data of excessive worth from a weak system with it. Even so, the bug — in NetScaler model 13.1-50.23 — did depart the door open for an attacker to sometimes seize delicate data, together with HTTP request our bodies from the method reminiscence of affected home equipment, Bishop Fox stated.

The corporate additionally stated Citrix acknowledged its vulnerability disclosure on Feb. 1. However Citrix didn’t assign the flaw a CVE identifier as a result of it had already addressed the problem in NetScaler model 13.1-51.15, previous to disclosure, Bishop Fox stated. It is not clear if Citrix privately disclosed the vulnerability to prospects at any time, or if it even thought of the problem that Bishop Fox raised as a vulnerability. Bishop Fox itself stated there’s been no public disclosure of the flaw till now.

Citrix didn’t reply instantly to a Darkish Studying request for clarification on when, or if, the corporate disclosed the flaw previous to addressing it in model 13.1-51.15.

Out-of-Bounds Reminiscence Concern

In a weblog this week, Bishop Fox recognized the vulnerability it found as an unauthenticated out-of-bounds reminiscence subject, which principally quantities to bugs that permit an attacker to entry reminiscence places past the meant boundaries of a program. Bishop Fox stated its researchers exploited the vulnerability to seize delicate data, together with HTTP request our bodies from an affected equipment’s reminiscence. The weblog put up learn, “This might doubtlessly permit attackers to acquire credentials submitted by customers logging in to NetScaler ADC and Gateway home equipment, or cryptographic materials utilized by the equipment.”

As with CitrixBleed, the flaw that Bishop Fox found affected NetScaler parts when used for distant entry and as authentication, authorization, and auditing (AAA) servers. Particularly, the safety vendor discovered the Gateway and AAA digital server to be dealing with HTTP host request headers in an unsafe method, which was the identical underlying trigger for CitrixBleed. The corporate’s proof-of-concept code demonstrated how a distant adversary might exploit the vulnerability to retrieve doubtlessly helpful data for an assault.

“Bishop Fox employees analyzed weak Citrix deployments and noticed situations the place the disclosed reminiscence contained information from HTTP requests, typically together with POST request our bodies,” the corporate famous. Bishop Fox really helpful that organizations working the affected NetScaler model improve to Model 13.1-51.15 or past.