Citrix seems to have quietly addressed a vulnerability in its NetScaler Software Supply Management (ADC) and Gateway home equipment that gave distant, unauthenticated attackers a option to receive doubtlessly delicate info from the reminiscence of affected techniques.
The bug was almost an identical to — however not as critical as — “CitrixBleed” (CVE-2023-4966), a important zero-day vulnerability in the identical two applied sciences that Citrix disclosed final 12 months, in response to researchers at Bishop Fox, who found and reported the flaw to Citrix in January.
Like CitrixBleed, However Not as Severe
Attackers exploited CitrixBleed extensively to deploy ransomware, steal info, and different malicious functions. The Cybersecurity and Infrastructure Safety Company (CISA) was amongst many who urged affected organizations to rapidly replace their techniques to patched variations of NetScaler, citing studies of widespread assaults that focused the vulnerability. Boeing and Comcast Xfinity have been amongst a number of main organizations that attackers focused.
In distinction, the flaw that Bishop Fox found in January was much less harmful as a result of attackers would have been much less more likely to retrieve any info of excessive worth from a weak system with it. Even so, the bug — in NetScaler model 13.1-50.23 — did go away the door open for an attacker to often seize delicate info, together with HTTP request our bodies from the method reminiscence of affected home equipment, Bishop Fox stated.
The corporate additionally stated Citrix acknowledged its vulnerability disclosure on Feb. 1. However Citrix didn’t assign the flaw a CVE identifier as a result of it had already addressed the problem in NetScaler model 13.1-51.15, previous to disclosure, Bishop Fox stated. It isn’t clear if Citrix privately disclosed the vulnerability to clients at any time, or if it even thought of the problem that Bishop Fox raised as a vulnerability. Bishop Fox itself stated there’s been no public disclosure of the flaw till now.
Citrix didn’t reply instantly to a Darkish Studying request for clarification on when, or if, the corporate disclosed the flaw previous to addressing it in model 13.1-51.15.
Out-of-Bounds Reminiscence Difficulty
In a weblog this week, Bishop Fox recognized the vulnerability it found as an unauthenticated out-of-bounds reminiscence difficulty, which principally quantities to bugs that permit an attacker to entry reminiscence areas past the supposed boundaries of a program. Bishop Fox stated its researchers exploited the vulnerability to seize delicate info, together with HTTP request our bodies from an affected equipment’s reminiscence. The weblog publish learn, “This might doubtlessly permit attackers to acquire credentials submitted by customers logging in to NetScaler ADC and Gateway home equipment, or cryptographic materials utilized by the equipment.”
As with CitrixBleed, the flaw that Bishop Fox found affected NetScaler elements when used for distant entry and as authentication, authorization, and auditing (AAA) servers. Particularly, the safety vendor discovered the Gateway and AAA digital server to be dealing with HTTP host request headers in an unsafe method, which was the identical underlying trigger for CitrixBleed. The corporate’s proof-of-concept code demonstrated how a distant adversary might exploit the vulnerability to retrieve doubtlessly helpful info for an assault.
“Bishop Fox workers analyzed weak Citrix deployments and noticed cases the place the disclosed reminiscence contained knowledge from HTTP requests, typically together with POST request our bodies,” the corporate famous. Bishop Fox beneficial that organizations operating the affected NetScaler model improve to Model 13.1-51.15 or past.
