Introduction

CVE-2023-4966 and CVE-2023-4967 are critical and high-severity vulnerabilities, respectively, that affect NetScaler ADC and NetScaler Gateway from Citrix. These vulnerabilities can be exploited to disclose sensitive information or cause a denial of service (DoS) condition on affected devices.

CVE-2023-4966 is a sensitive information disclosure vulnerability that can be exploited by an attacker to remotely access sensitive information from vulnerable NetScaler ADC and NetScaler Gateway appliances. This information may include usernames, passwords, cookies, and other authentication credentials.

CVE-2023-4967 is a DoS vulnerability that can be exploited by an attacker to cause a vulnerable NetScaler ADC or NetScaler Gateway appliance to become unresponsive. This can prevent legitimate users from accessing the appliance and its resources.

Both vulnerabilities are remotely exploitable without requiring high privileges, user interaction, or high complexity. However, there is a prerequisite for the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server for it to be vulnerable to attacks.

Detailed analysis of CVE-2023-4966

CVE-2023-4966 is a sensitive information disclosure vulnerability in the NetScaler ADC and NetScaler Gateway web application firewall (WAF). The vulnerability can be exploited by an attacker to send a specially crafted HTTP request that causes the WAF to overflow a buffer and execute arbitrary code. This code could then be used to disclose sensitive information from the appliance.

The vulnerability is caused by a buffer overflow in the WAF’s regular expression matching engine. The engine is used to match HTTP requests against a set of predefined rules. An attacker can exploit the vulnerability by sending a request with a regular expression that is too long or complex. This can cause the buffer to overflow and execute arbitrary code.

Arbitrary code execution on a NetScaler ADC or NetScaler Gateway appliance could allow an attacker to:

• Disclose sensitive information from the appliance, such as usernames, passwords, cookies, and other authentication credentials.

• Modify or delete data on the appliance.

• Take control of the appliance and use it to launch attacks against other systems on the network.

Detailed analysis of CVE-2023-4967

CVE-2023-4967 is a denial of service (DoS) vulnerability in the NetScaler ADC and NetScaler Gateway traffic management system (TMS). The vulnerability can be exploited by an attacker to send a specially crafted HTTP request that causes the TMS to consume excessive resources and become unresponsive. This can prevent legitimate users from accessing the appliance and its resources.

The vulnerability is caused by a flaw in the way the TMS handles certain HTTP requests. An attacker can exploit the vulnerability by sending a request that is too large or complex. This can cause the TMS to consume all of its available resources and become unresponsive.

A denial of service attack on a NetScaler ADC or NetScaler Gateway appliance could prevent legitimate users from accessing the following resources:

• Websites and applications hosted on the appliance.

• Virtual private networks (VPNs) hosted on the appliance.

• Remote desktop (RDP) sessions hosted on the appliance.

• Other resources that are managed by the appliance.

Exploitation and mitigation

Both CVE-2023-4966 and CVE-2023-4967 can be exploited remotely without requiring high privileges, user interaction, or high complexity. However, there is a prerequisite for the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server for it to be vulnerable to attacks.

Citrix has released security updates to address both vulnerabilities. Customers are advised to apply these updates as soon as possible. Upgrade your NetScaler instances to below versions as soon as possible.

• NetScaler ADC and NetScaler Gateway 14.1-8.50  and later releases
• NetScaler ADC and NetScaler Gateway  13.1-49.15  and later releases of 13.1
• NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0  
• NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS  
• NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS  
• NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP 

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

In addition to applying the security updates, customers can also mitigate the risk of exploitation by taking the following steps:

• Restrict access to the NetScaler ADC and NetScaler Gateway appliances to only those users who need it.

• Place the appliances behind a firewall and configure the firewall to block all unnecessary traffic.

• Monitor the appliances for suspicious activity and investigate any unusual events immediately.

Conclusion

CVE-2023-4966 and CVE-2023-4967 are critical and high-severity vulnerabilities, respectively, that affect NetScaler ADC and NetScaler Gateway from Citrix. These vulnerabilities can be exploited to disclose sensitive information or cause a denial of service (DoS) condition on affected devices.

Customers are advised to apply the security updates released by Citrix as soon as possible. In addition, customers can mitigate the risk of exploitation by taking the steps outlined above.