Privacy policy

Our website uses cookies to enhance your online experience by; measuring audience engagement, analyzing how our webpage is used, improving website functionality, and delivering relevant, personalized marketing content.
Your privacy is important to us. Thus, you have full control over your cookie preferences and can manage which ones to enable. You can find more information about cookies in our Cookie Policy, about the types of cookies we use on Atos Cookie Table, and information on how to withdraw your consent in our Privacy Policy.

Our website uses cookies to enhance your online experience by; measuring audience engagement, analyzing how our webpage is used, improving website functionality, and delivering relevant, personalized marketing content. Your privacy is important to us. Thus, you have full control over your cookie preferences and can manage which ones to enable. You can find more information about cookies in our Cookie Policy, about the types of cookies we use on Atos Cookie Table, and information on how to withdraw your consent in our Privacy Policy.

Skip to main content

Citrix NetScaler flaw exposing sensitive data

Introduction

On 10th of October 2023 Citrix Systems released a security bulletin for one critical and one high severity vulnerabilities.
Critical vulnerability identified as CVE-2023-4966, was discovered in Citrix NetScaler ADC and NetScaler Gateway, categorized as “sensitive information disclosure.” This flaw, with a significant CVSS score of 9.4, poses a risk to the security framework of the affected systems.

 

Key Takeaways

  • NetScaler ADC and NetScaler Gateway exhibit a critical vulnerability tied to unauthenticated buffer overflow, identified as CVE-2023-4966.
  • This flaw, causing sensitive information disclosure in certain configurations (Gateway or AAA virtual server), holds a high CVSSv3 score of 9.4, emphasizing its critical nature.
  • A patch addressing this issue is now available, mitigating the risks associated with the unauthenticated buffer overflow.
  • Given the critical severity, this vulnerability is notably concerning as hackers frequently target Citrix products, often deployed within large organizations possessing valuable assets.

 

Recommendations

  • It is recommended to users of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible.
  • No mitigation methods were provided by the vendor.

 

Technical details

Citrix NetScaler ADC and NetScaler Gateway are affected by a critical flaw that permits the exposure of confidential data from susceptible devices.

The vulnerability is identified as CVE-2023-4966 and has been assigned a CVSS score of 9.4, indicating its severity. It can be exploited remotely without the need for elevated privileges, user engagement, or complex actions.

For a device to be at risk, it must be set up as a Gateway (encompassing VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server.

The exploitation of this flaw results in the disclosure of sensitive information, although specific details regarding the type of information that could be exposed have not been provided by the vendor.

Upon closer examination, two functions, ns_aaa_oauth_send_openid_config and ns_aaa_oauthrp_send_openid_config, were pinpointed as the root cause. They were amended to include an additional bounds check to mitigate unauthenticated buffer-related vulnerabilities, which could lead to the leaking of session tokens.

In the investigative process, a method known as patch diffing was employed to compare two different versions of the software. By examining the binaries and identifying the changes made, it became evident which functions were altered to address the vulnerability. This meticulous comparison led to the identification of the modified bounds check within the implicated functions.

Furthermore, these functions implement the OpenID Connect Discovery endpoint, which was accessible unauthenticated, thereby exposing sensitive information. The additional bounds check added in the patch serves as a crucial security measure to prevent the unauthorized disclosure of session tokens, enhancing the overall security posture of the Citrix systems.

 

Affected products

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50

NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15

NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19

NetScaler ADC 13.1-FIPS before 13.1-37.164

NetScaler ADC 12.1-FIPS before 12.1-55.300

NetScaler ADC 12.1-NDcPP before 12.1-55.300

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable

 

Available vendor patches

The vendor has fixed the issue mentioned above by releasing security updates, urging users to do so as soon as possible.

 

Proof of Concept

Ready to use exploit are available here.

 

References

https://www.redpacketsecurity.com/new-critical-citrix-netscaler-flaw-exposes-sensitive-data/

https://www.bleepingcomputer.com/news/security/new-critical-citrix-netscaler-flaw-exposes-sensitive-data/

https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966https://github.com/Chocapikk/CVE-2023-4966

https://github.com/Chocapikk/CVE-2023-4966

Posted on: October 27th, 2023

Krzysztof

Share this article

Categories

Subscribe for ??

Thank you for your interest. You can download the report here.
A member of our team will be in touch with you shortly
  • Magazine

Digital security magazine 17

  • Service Focus

Cybersecurity