Citrix Resolves High-Risk Flaw in NetScaler Servers Similar to Past CitrixBleed Vulnerability

May 7, 2024

Citrix has reportedly fixed a high-risk vulnerability in its NetScaler Application Delivery Control (ADC) and Gateway appliances. This vulnerability could have given remote, unauthenticated attackers the ability to extract potentially sensitive data from the memory of the systems affected.

The flaw, discovered and reported by security researchers at Bishop Fox in January, bears a striking resemblance to the CitrixBleed flaw (CVE-2023-4966) that Citrix disclosed last year. However, the recent flaw is not as serious as CitrixBleed, which was widely exploited by attackers to deploy ransomware, steal information, and for other malicious activities.

The Cybersecurity and Infrastructure Security Agency (CISA) had urged organizations affected by CitrixBleed to update their systems promptly, citing reports of widespread attacks exploiting the vulnerability. Major organizations like Boeing and Comcast Xfinity were among the targets of these attacks.

The flaw discovered by Bishop Fox in January was less threatening, as it was less likely to retrieve high-value information from a vulnerable system. However, the bug, found in NetScaler version 13.1-50.23, did provide an opportunity for an attacker to occasionally capture sensitive data, including HTTP request bodies from the memory of the affected appliances.

Citrix acknowledged the vulnerability disclosure on February 1, according to Bishop Fox. However, Citrix did not assign a CVE identifier to the flaw as it had already addressed the issue in NetScaler version 13.1-51.15, before the disclosure. It remains uncertain whether Citrix privately communicated the vulnerability to customers or even recognized the issue raised by Bishop Fox as a vulnerability.

Bishop Fox identified the vulnerability as an unauthenticated out-of-bounds memory issue, which essentially represents bugs that allow an attacker to access memory locations beyond a program's intended boundaries. The security firm's researchers exploited the vulnerability to capture sensitive data, including HTTP request bodies from an affected appliance's memory.

The flaw discovered by Bishop Fox impacted NetScaler components when used for remote access and as authentication, authorization, and auditing (AAA) servers. The security firm found the Gateway and AAA virtual server to be handling HTTP host request headers in an unsafe manner, which was the same underlying cause for CitrixBleed.

Bishop Fox's proof-of-concept code showed how a remote adversary could exploit the vulnerability to retrieve potentially useful information for an attack. The company advised organizations using the affected NetScaler version to upgrade to Version 13.1-51.15 or later.

Related News

• Citrix Issues Urgent Warning for Two Actively Exploited Zero-Day Vulnerabilities
• Comcast's Xfinity Customer Data Breached in CitrixBleed Exploit
• Urgent Warnings Issued on CitrixBleed Exploitation by LockBit Ransomware Gang
• Citrix Urges Administrators to Terminate NetScaler User Sessions Amidst Hacker Threats
• Toyota Ransomware Attack Likely Exploited CitrixBleed Vulnerability

Latest News

• Apple Patches Safari WebKit Zero-Day Exploit Uncovered at Pwn2Own
• VMware Patches Trio of Zero-Day Vulnerabilities Exposed at Pwn2Own 2024
• Google Chrome Rolls Out Emergency Patch for 6th Zero-Day Exploit of 2024
• Apple Backports Security Patches to Older iPhones and iPads Amid Active Exploitation of Zero-Day
• Mirai Botnet Exploits Ivanti Connect Secure Vulnerabilities