A critical vulnerability impacting certain Citrix NetScaler devices has been discovered by researchers at Bishop Fox, allowing attackers to access sensitive information from device memory. The vulnerability was found in Citrix NetScaler ADC and Gateway running version 13.1-50.23, but has since been quietly fixed by Citrix.
The affected devices are utilized for authentication, authorization, and auditing (AAA) as well as remote access. The most recent version of NetScaler, 14.1-21.15, was released on April 23, 2024.
This vulnerability is similar to the Citrix Bleed vulnerability from last year, CVE-2023-4966, which received a high severity rating. The bug allowed out-of-bounds memory reading that could potentially expose sensitive information. Unlike CVE-2023-4966, the recently fixed vulnerability is less likely to reveal highly sensitive data to attackers.
Citrix has silently addressed the vulnerability in NetScaler version 13.1-51.15, but has not disclosed it publicly or assigned a CVE ID. It is advised for users to update to version 13.1-51.15 or later to mitigate the risk posed by the vulnerability. Bishop Fox has warned that attackers may be able to access sensitive data from memory, including POST request bodies that may contain credentials or cookies.
It remains unclear whether Citrix shared information about the vulnerability with its customers privately or recognized Bishop Fox’s findings as a vulnerability. The issue has now been resolved, but users are urged to update their NetScaler devices to protect against potential exploitation.
Article Source
https://www.csoonline.com/article/2098805/citrix-quietly-fixes-a-new-critical-vulnerability-similar-to-citrix-bleed.html/amp/