Citrix appears to have quietly addressed a vulnerability in its NetScaler Application Delivery Control (ADC) and Gateway appliances that gave remote, unauthenticated attackers a way to obtain potentially sensitive information from the memory of affected systems.
The bug was nearly identical to — but not as serious as — “CitrixBleed” (CVE-2023-4966), a critical zero-day vulnerability in the same two technologies that Citrix disclosed last year, according to researchers at Bishop Fox, who discovered and reported the flaw to Citrix in January.
Like CitrixBleed, But Not as Serious
Attackers exploited CitrixBleed widely to deploy ransomware, steal information, and other malicious purposes. The Cybersecurity and Infrastructure Security Agency (CISA) was among many that urged affected organizations to quickly update their systems to patched versions of NetScaler, citing reports of widespread attacks that targeted the vulnerability. Boeing and Comcast Xfinity were among several major organizations that attackers targeted.
In contrast, the flaw that Bishop Fox discovered in January was less dangerous because attackers would have been less likely to retrieve any information of high value from a vulnerable system with it. Even so, the bug — in NetScaler version 13.1-50.23 — did leave the door open for an attacker to occasionally capture sensitive information, including HTTP request bodies from the process memory of affected appliances, Bishop Fox said.
The company also said Citrix acknowledged its vulnerability disclosure on Feb. 1. But Citrix did not assign the flaw a CVE identifier because it had already addressed the issue in NetScaler version 13.1-51.15, prior to disclosure, Bishop Fox said. It’s not clear if Citrix privately disclosed the vulnerability to customers at any time, or if it even considered the issue that Bishop Fox raised as a vulnerability. Bishop Fox itself said there’s been no public disclosure of the flaw until now.
Citrix did not respond immediately to a Dark Reading request for clarification on when, or if, the company disclosed the flaw prior to addressing it in version 13.1-51.15.
Out-of-Bounds Memory Issue
In a blog this week, Bishop Fox identified the vulnerability it discovered as an unauthenticated out-of-bounds memory issue, which basically amounts to bugs that allow an attacker to access memory locations beyond the intended boundaries of a program. Bishop Fox said its researchers exploited the vulnerability to capture sensitive information, including HTTP request bodies from an affected appliance’s memory. The blog post read, “This could potentially allow attackers to obtain credentials submitted by users logging in to NetScaler ADC and Gateway appliances, or cryptographic material used by the appliance.”
As with CitrixBleed, the flaw that Bishop Fox discovered affected NetScaler components when used for remote access and as authentication, authorization, and auditing (AAA) servers. Specifically, the security vendor found the Gateway and AAA virtual server to be handling HTTP host request headers in an unsafe manner, which was the same underlying cause for CitrixBleed. The company’s proof-of-concept code demonstrated how a remote adversary could exploit the vulnerability to retrieve potentially useful information for an attack.
“Bishop Fox staff analyzed vulnerable Citrix deployments and observed instances where the disclosed memory contained data from HTTP requests, sometimes including POST request bodies,” the company noted. Bishop Fox recommended that organizations running the affected NetScaler version upgrade to Version 13.1-51.15 or beyond.
https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltbd5d4d98e91b7f6b/66395b00d8cc384ff4ea2e33/citrix_Ken_Wolter_shutterstock.jpg?disable=upscale&width=1200&height=630&fit=crop
