On Tuesday, Citrix urged customers to immediately patch Netscaler ADC and Gateway appliances exposed online against two actively exploited zero-day vulnerabilities.
The two zero-days (CVE-2023-6548 and CVE-2023-6549) impact the Netscaler management interface and expose unpatched Netscaler instances to remote code execution (CVS Score: 5.5) and denial-of-service attacks (CVS Score: 8.2), respectively.
The good news for administrators and potential victims is that attackers must be logged in to low-privilege accounts on the targeted instance and have access to CLIP, NSIP, or SNIP with management interface access. Additionally, in order to be vulnerable to DoS attacks, the appliances must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server.
The company says that only customer-managed NetScaler appliances are impacted by the zero-days, while Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not affected.
The list of Netscaler product versions affected by these two zero-day vulnerabilities includes the following:
NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
NetScaler ADC 13.1-FIPS before 13.1-37.176
NetScaler ADC 12.1-FIPS before 12.1-55.302
NetScaler ADC 12.1-NDcPP before 12.1-55.302
For more information, read the Citrix Security Bulletin regarding CVE-2023-6548 and CVE-2023-6549: https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549