CISA has issued an urgent directive to U.S. federal agencies, calling for immediate action against three recently patched zero-day vulnerabilities in Citrix NetScaler and Google Chrome. These vulnerabilities have been actively exploited in cyber attacks. The agency has specifically urged for the Citrix RCE bug to be patched within a week. These vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog, a list that identifies vulnerabilities frequently used by cyber criminals and that pose significant risks to the federal enterprise.
Citrix had previously advised its customers to patch Internet-exposed Netscaler ADC and Gateway appliances against the CVE-2023-6548 code injection vulnerability and the CVE-2023-6549 buffer overflow affecting the Netscaler management interface. These vulnerabilities could be exploited for remote code execution and denial-of-service attacks. For those who cannot immediately install the security updates, Citrix recommended blocking network traffic to the affected instances and ensuring they are not accessible online as a temporary measure.
Once these vulnerabilities are included in CISA's list, U.S. Federal Civilian Executive Branch Agencies (FCEB) are mandated to patch vulnerable devices on their networks within a specific timeframe, as stipulated by a binding operational directive (BOD 22-01) issued three years ago. Of the three zero-days that have now been patched, CISA has asked for the CVE-2023-6548 vulnerability affecting NetScaler ADC and Gateway management interfaces to be patched by next Wednesday, January 24. The other two vulnerabilities, CVE-2023-6549 NetScaler buffer overflow and the CVE-2024-0519 Google Chrome bug, must be mitigated by February 7.
While CISA did not elaborate on the expedited patch process for CVE-2023-6548, Citrix's alert urging customers to secure vulnerable appliances as soon as possible and the impact of the bug on the management interface likely influenced the decision. Though the BOD 22-01 directive applies only to U.S. federal agencies, CISA has encouraged all organizations, including private companies, to prioritize patching these security flaws as soon as possible.