The Cybersecurity and Infrastructure Security Agency (CISA) has directed US federal agencies to defend their systems against three zero-day vulnerabilities in Citrix NetScaler and Google Chrome. These vulnerabilities have been patched but are actively being exploited in attacks, making them high-risk for federal enterprises.
Citrix has advised its customers to immediately patch their Internet-exposed NetScaler ADC and Gateway devices to protect against code injection and buffer overflow vulnerabilities. Those who cannot apply security updates right away are recommended to block network traffic to affected instances and make sure they are not accessible online as a temporary measure. More than 51,000 NetScaler devices are currently online, with a significant number having their management interfaces exposed.
CISA has also added an out-of-bounds memory access vulnerability in the Chromium V8 JavaScript engine to its list of known exploited vulnerabilities. This is the first zero-day vulnerability in Chrome to be patched by Google this year.
Federal Civil Executive Branch Agencies (FCEB) in the US must patch vulnerable NetScaler instances within a specific timeframe, as mandated by a binding operational directive issued three years ago. The CVE-2023-6548 vulnerability affecting NetScaler ADC and Gateway management interfaces must be fixed within a week, while two other vulnerabilities must be mitigated within three weeks.
Although the directive applies only to federal agencies, CISA is encouraging all organizations to prioritize fixing these security flaws as soon as possible.Ensuring timely mitigation of these vulnerabilities is crucial to protecting systems and data from malicious cyber actors.
Article Source
https://www.bleepingcomputer.com/news/security/cisa-pushes-federal-agencies-to-patch-citrix-rce-within-a-week/amp/