Overview: Multiple vulnerabilities have been discovered in Citrix NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) affecting versions:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300 (End-of-Life)
Summary of Vulnerabilities: These vulnerabilities in NetScaler ADC and NetScaler Gateway result in unauthenticated buffer-related flaws, leading to sensitive information disclosure and denial of service under specific configurations (e.g., VPN virtual servers, ICA Proxy, CVPN, RDP Proxy, or AAA virtual servers). They have been classified under CWE-119 and have respective CVSS scores of 9.4 and 8.2.
Recommendations for Action: Cloud Software Group urges immediate action for users of affected versions:
- Install updated versions addressing these vulnerabilities:
- NetScaler ADC and NetScaler Gateway 14.1-8.50 and later
- NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
- NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL). Upgrading to supported versions is recommended.
If updating is not possible, follow Mandiant’s guidlines on remediation
- https://services.google.com/fh/files/misc/citrix-netscaler-adc-gateway-cve-2023-4966-remediation.pdf
Additional Resources: Further information is available in Cloud Software Group’s published blogs:
Vulnerability Alert 