CISA Mandates Federal Agencies to Address Citrix and Google Chrome Zero-Days Within Set Timeframes

January 17, 2024

CISA has issued an urgent directive to U.S. federal agencies, calling for immediate action against three recently patched zero-day vulnerabilities in Citrix NetScaler and Google Chrome. These vulnerabilities have been actively exploited in cyber attacks. The agency has specifically urged for the Citrix RCE bug to be patched within a week. These vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog, a list that identifies vulnerabilities frequently used by cyber criminals and that pose significant risks to the federal enterprise.

Citrix had previously advised its customers to patch Internet-exposed Netscaler ADC and Gateway appliances against the CVE-2023-6548 code injection vulnerability and the CVE-2023-6549 buffer overflow affecting the Netscaler management interface. These vulnerabilities could be exploited for remote code execution and denial-of-service attacks. For those who cannot immediately install the security updates, Citrix recommended blocking network traffic to the affected instances and ensuring they are not accessible online as a temporary measure.

The cybersecurity agency also added the CVE-2024-0519 out-of-bounds memory access vulnerability in the Chromium V8 JavaScript engine to its list. This is the first Chrome zero-day exploited in the wild that Google has patched this year.

Once these vulnerabilities are included in CISA's list, U.S. Federal Civilian Executive Branch Agencies (FCEB) are mandated to patch vulnerable devices on their networks within a specific timeframe, as stipulated by a binding operational directive (BOD 22-01) issued three years ago. Of the three zero-days that have now been patched, CISA has asked for the CVE-2023-6548 vulnerability affecting NetScaler ADC and Gateway management interfaces to be patched by next Wednesday, January 24. The other two vulnerabilities, CVE-2023-6549 NetScaler buffer overflow and the CVE-2024-0519 Google Chrome bug, must be mitigated by February 7.

While CISA did not elaborate on the expedited patch process for CVE-2023-6548, Citrix's alert urging customers to secure vulnerable appliances as soon as possible and the impact of the bug on the management interface likely influenced the decision. Though the BOD 22-01 directive applies only to U.S. federal agencies, CISA has encouraged all organizations, including private companies, to prioritize patching these security flaws as soon as possible.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.