On 10th of October 2023 Citrix Systems released a security bulletin for one critical and one high severity vulnerabilities.
Critical vulnerability identified as CVE-2023-4966, was discovered in Citrix NetScaler ADC and NetScaler Gateway, categorized as “sensitive information disclosure.” This flaw, with a significant CVSS score of 9.4, poses a risk to the security framework of the affected systems.
- NetScaler ADC and NetScaler Gateway exhibit a critical vulnerability tied to unauthenticated buffer overflow, identified as CVE-2023-4966.
- This flaw, causing sensitive information disclosure in certain configurations (Gateway or AAA virtual server), holds a high CVSSv3 score of 9.4, emphasizing its critical nature.
- A patch addressing this issue is now available, mitigating the risks associated with the unauthenticated buffer overflow.
- Given the critical severity, this vulnerability is notably concerning as hackers frequently target Citrix products, often deployed within large organizations possessing valuable assets.
- It is recommended to users of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible.
- No mitigation methods were provided by the vendor.
Citrix NetScaler ADC and NetScaler Gateway are affected by a critical flaw that permits the exposure of confidential data from susceptible devices.
The vulnerability is identified as CVE-2023-4966 and has been assigned a CVSS score of 9.4, indicating its severity. It can be exploited remotely without the need for elevated privileges, user engagement, or complex actions.
For a device to be at risk, it must be set up as a Gateway (encompassing VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server.
The exploitation of this flaw results in the disclosure of sensitive information, although specific details regarding the type of information that could be exposed have not been provided by the vendor.
Upon closer examination, two functions, ns_aaa_oauth_send_openid_config and ns_aaa_oauthrp_send_openid_config, were pinpointed as the root cause. They were amended to include an additional bounds check to mitigate unauthenticated buffer-related vulnerabilities, which could lead to the leaking of session tokens.
In the investigative process, a method known as patch diffing was employed to compare two different versions of the software. By examining the binaries and identifying the changes made, it became evident which functions were altered to address the vulnerability. This meticulous comparison led to the identification of the modified bounds check within the implicated functions.
Furthermore, these functions implement the OpenID Connect Discovery endpoint, which was accessible unauthenticated, thereby exposing sensitive information. The additional bounds check added in the patch serves as a crucial security measure to prevent the unauthorized disclosure of session tokens, enhancing the overall security posture of the Citrix systems.
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
NetScaler ADC 13.1-FIPS before 13.1-37.164
NetScaler ADC 12.1-FIPS before 12.1-55.300
NetScaler ADC 12.1-NDcPP before 12.1-55.300
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable
Available vendor patches
The vendor has fixed the issue mentioned above by releasing security updates, urging users to do so as soon as possible.
Proof of Concept
Ready to use exploit are available here.