The advisory lists having prior entry to NetScaler IP (NSIP), Cluster IP (CLIP), or Subnet IP (SNIP) with administration interface entry as a prerequisite for the exploitation of CVE-2023-6548. The vulnerability carries a standard vulnerability scoring system (CVSS) rating of 5.5, making it a flaw with “medium” criticality.
CVE-2023-6549, with a CVSS rating of 8.2, is a vulnerability with “excessive” criticality and requires the home equipment to be “configured as a Gateway (VPN digital server, ICA Proxy, CVPN, RDP Proxy),” in line with the advisory.
Impacted home equipment run earlier variations
The affected home equipment embody those operating outdated variations of the NetScaler ADC and NetScaler Gateway. Defective variations embody NetScaler ADC and NetScaler Gateway 13.0 (earlier than 13.0-92.21), 13.1 (earlier than 13.1-51.15), and 14.1(14.1-12.35).
Moreover, the Federal Info Processing Normal (FIPS) compliant variations together with, NetScaler ADC FIPS 12.1 (earlier than 12.1-55.302), and 13.1 (earlier than 13.1-37.176) are additionally affected. NetScaler ADC 12.1-NDcPP earlier than 12.1-55.302, compliant underneath Community Gadget Collaborative Safety Profile, are affected too.
“NetScaler ADC and NetScaler Gateway model 12.1 is now Finish of Life (EOL) and is susceptible,” Citrix added.
Citrix has advisable prospects instantly replace to the newest supported variations as they deal with these vulnerabilities. “Exploits of those CVEs on unmitigated home equipment have been noticed,” Citrix mentioned. “Cloud Software program Group strongly urges affected prospects of NetScaler ADC and NetScaler Gateway to put in the related up to date variations as quickly as potential.” Citrix just lately found a number of high-severity vulnerabilities in the identical product strains.