Alert: Citrix and VMware reveal critical security flaws in NetScaler ADC

Citrix has issued an alert regarding two critical zero-day vulnerabilities found in NetScaler ADC (previously known as Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway), which are currently being exploited. These vulnerabilities are detailed as follows:

CVE-2023-6548: This vulnerability, with a CVSS score of 5.5, allows authenticated, low-privileged remote code execution via the Management Interface. This requires access to NSIP, CLIP, or SNIP with management interface access.
CVE-2023-6549: With a CVSS score of 8.2, this vulnerability can cause a denial-of-service attack. It becomes a threat if the appliance is set up as a Gateway or an AAA (authorization and accounting) virtual server.
Affected versions of NetScaler ADC and NetScaler Gateway include:

  • NetScaler ADC and NetScaler Gateway version 14.1 prior to 14.1-12.35
  • NetScaler ADC and NetScaler Gateway version 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway version 13.0 before 13.0-92.21
  • End-of-life NetScaler ADC and NetScaler Gateway version 12.1
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302

Citrix reports that exploits of these vulnerabilities have been detected on unpatched systems. Users of version 12.1 are urged to upgrade to a supported version that resolves these issues.

For enhanced security, it’s recommended to not expose the management interface to the internet, which lowers the risk of exploitation. Citrix’s disclosure comes amidst multiple security vulnerabilities being exploited, including CVE-2023-3519 and CVE-2023-4966, where attackers deployed web shells and commandeered authenticated sessions.

In related news, VMware has warned its customers about a severe security flaw in Aria Automation (formerly vRealize Automation), identified as CVE-2023-34063 with a CVSS score of 9.9. Described as a “missing access control” issue, it allows authenticated attackers unauthorized access to remote organizations and workflows. Discovered and reported by CSIRO’s Scientific Computing Platforms team, the vulnerability impacts VMware Aria Automation versions 8.11.x through 8.14.x and VMware Cloud Foundation versions 4.x and 5.x. VMware advises users to upgrade directly to version 8.16 to avoid reintroducing the vulnerability.

Moreover, Atlassian has announced patches for over two dozen vulnerabilities, including a critical RCE flaw in Confluence Data Center and Server, tagged as CVE-2023-22527 with a CVSS score of 10.0. This flaw impacts versions 8.0.x to 8.5.3, excluding the 7.19.x LTS versions. Atlassian attributes this to a template injection vulnerability in outdated versions, allowing unauthenticated attackers to execute remote code. Affected users should update to the latest patched versions, such as 8.5.4, 8.5.5 (Confluence Data Center and Server), 8.6.0, 8.7.1, and 8.7.2 (Data Center only) for security.