Citrix quietly fixed a vulnerability in its NetScaler Application Delivery Control (ADC) and Gateway appliances that allowed remote, unauthenticated attackers to potentially access sensitive information stored in the memory of the affected systems. The flaw was similar to the “CitrixBleed” zero-day vulnerability disclosed by Citrix last year, but not as severe, according to researchers at Bishop Fox who reported the issue to Citrix in January.
The attackers who exploited CitrixBleed used it to deploy ransomware, steal information, and carry out other malicious activities. The Cybersecurity and Infrastructure Security Agency (CISA) urged organizations to promptly update their systems to patched versions of NetScaler to prevent widespread attacks targeting the vulnerability. Major organizations like Boeing and Comcast Xfinity were among those targeted by attackers.
In contrast, the vulnerability discovered by Bishop Fox in January was deemed less dangerous as it was less likely for attackers to obtain valuable information from vulnerable systems. However, the bug in NetScaler version 13.1-50.23 left a door open for attackers to occasionally capture sensitive data, including HTTP request bodies from the memory of affected devices.
Bishop Fox mentioned that Citrix acknowledged the vulnerability disclosure on February 1, but did not assign a CVE identifier to the flaw as it had already been addressed in NetScaler version 13.1-51.15 prior to the disclosure. It is unclear if Citrix privately informed customers about the vulnerability or viewed Bishop Fox’s findings as a significant issue. Bishop Fox noted that there had been no public disclosure of the defect thus far.
Citrix did not immediately respond to requests for clarification on when or if the company disclosed the flaw before addressing it in version 13.1-51.15. Bishop Fox described the vulnerability as an unauthenticated out-of-bounds memory issue that allowed attackers to access memory locations beyond the intended boundaries of a program. This could potentially lead to the theft of credentials or cryptographic material used by the NetScaler ADC and Gateway appliances.
The vulnerability affected NetScaler components used for remote access and as authentication, authorization, and auditing (AAA) servers. Bishop Fox found that the Gateway and AAA virtual server mishandled HTTP host request headers, similar to the underlying cause of CitrixBleed. The company’s proof-of-concept code demonstrated how remote adversaries could exploit the vulnerability to retrieve sensitive information for malicious purposes.
Bishop Fox recommended that organizations using the affected version of NetScaler upgrade to version 13.1-51.15 or later to mitigate the risk posed by the vulnerability.
Article Source
https://www.darkreading.com/cyber-risk/citrix-addresses-high-severity-flaw-in-netscaler-adc-and-gateway