Citrix seems to have quietly addressed a vulnerability in its NetScaler Software Supply Management (ADC) and Gateway home equipment that gave distant, unauthenticated attackers a technique to acquire probably delicate info from the reminiscence of affected techniques.
The bug was almost an identical to — however not as critical as — “CitrixBleed” (CVE-2023-4966), a vital zero-day vulnerability in the identical two applied sciences that Citrix disclosed final 12 months, in accordance with researchers at Bishop Fox, who found and reported the flaw to Citrix in January.
Like CitrixBleed, However Not as Severe
Attackers exploited CitrixBleed broadly to deploy ransomware, steal info, and different malicious functions. The Cybersecurity and Infrastructure Safety Company (CISA) was amongst many who urged affected organizations to rapidly replace their techniques to patched variations of NetScaler, citing studies of widespread assaults that focused the vulnerability. Boeing and Comcast Xfinity have been amongst a number of main organizations that attackers focused.
In distinction, the flaw that Bishop Fox found in January was much less harmful as a result of attackers would have been much less prone to retrieve any info of excessive worth from a susceptible system with it. Even so, the bug — in NetScaler model 13.1-50.23 — did depart the door open for an attacker to often seize delicate info, together with HTTP request our bodies from the method reminiscence of affected home equipment, Bishop Fox stated.
The corporate additionally stated Citrix acknowledged its vulnerability disclosure on Feb. 1. However Citrix didn’t assign the flaw a CVE identifier as a result of it had already addressed the problem in NetScaler model 13.1-51.15, previous to disclosure, Bishop Fox stated. It is not clear if Citrix privately disclosed the vulnerability to clients at any time, or if it even thought-about the problem that Bishop Fox raised as a vulnerability. Bishop Fox itself stated there’s been no public disclosure of the flaw till now.
Citrix didn’t reply instantly to a Darkish Studying request for clarification on when, or if, the corporate disclosed the flaw previous to addressing it in model 13.1-51.15.
Out-of-Bounds Reminiscence Problem
In a weblog this week, Bishop Fox recognized the vulnerability it found as an unauthenticated out-of-bounds reminiscence difficulty, which mainly quantities to bugs that enable an attacker to entry reminiscence areas past the supposed boundaries of a program. Bishop Fox stated its researchers exploited the vulnerability to seize delicate info, together with HTTP request our bodies from an affected equipment’s reminiscence. The weblog publish learn, “This might probably enable attackers to acquire credentials submitted by customers logging in to NetScaler ADC and Gateway home equipment, or cryptographic materials utilized by the equipment.”
As with CitrixBleed, the flaw that Bishop Fox found affected NetScaler parts when used for distant entry and as authentication, authorization, and auditing (AAA) servers. Particularly, the safety vendor discovered the Gateway and AAA digital server to be dealing with HTTP host request headers in an unsafe method, which was the identical underlying trigger for CitrixBleed. The corporate’s proof-of-concept code demonstrated how a distant adversary may exploit the vulnerability to retrieve probably helpful info for an assault.
“Bishop Fox workers analyzed susceptible Citrix deployments and noticed situations the place the disclosed reminiscence contained knowledge from HTTP requests, typically together with POST request our bodies,” the corporate famous. Bishop Fox really useful that organizations working the affected NetScaler model improve to Model 13.1-51.15 or past.