CISA has given a timeframe of one to three weeks to fix three vulnerabilities related to Citrix NetScaler and Google Chrome. These zero-day vulnerabilities were actively used in cyber attacks.
2 Citrix RCEs Exploited In The Wild, CISA Urges to Update
Wednesday, January 17, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding actively exploiting three vulnerabilities. The involved vulnerabilities are CVE-2023-6548 and CVE-2023-6549. The agency immediately added these vulnerabilities to its Known Exploited Vulnerabilities Catalog and demanded that U.S. federal agencies patch it ASAP.
The first has a CVSS score of 5.5 and affects NetScaler ADC and Gateway management interfaces. Its deadline to fix it is January 24. As for the other two vulnerabilities, one of them can cause a denial of service condition on specific configurations. It concerns vulnerable Gateway appliances like VPN, ICA Proxy, CVPN, RDP Proxy services, or AAA virtual servers. This vulnerability has a CVSS score of 8.2, more than the previous one. However, CISA has given three weeks to fix these two vulnerabilities.
So, why would you prioritize fixing vulnerabilities with lower CVSS? When they are easy to exploit, this decision becomes more obvious and demanded. While exploiting some vulnerabilities with maximum CVSS requires certain conditions close to the laboratory, other issues require much less effort. It’s no wonder CISA so strongly recommends that this vulnerability be fixed first and foremost.
Citrix RCE Vulnerability Details
CVE-2023-6548 is a medium-severity (CVSS score of 5.5) Remote Code Execution (RCE) vulnerability that affects Citrix NetScaler ADC and Gateway appliances. It allows an authenticated attacker with low-level privileges to execute code on the management interface of the affected devices via NSIP, SNIP, or CLIP.
Next, the CVE-2023-6549 vulnerability is a Denial of Service (DoS) vulnerability. It was also found in the Citrix NetScaler ADC and has a CVSS score 8.2. Threat actors can exploit it under specific configurations of vulnerable appliances. As mentioned, VPN, ICA Proxy, CVPN, RDP Proxy services, or an AAA virtual server are at risk. The vulnerability can disrupt services by overwhelming the system, leading to a denial of service condition.
Citrix Responds to New Vulnerabilities
Citrix promptly published an advisory and recommended that customers immediately apply updates for affected versions. Customers using Citrix-managed cloud services or Adaptive Authentication are not required to take action. The company suggests separating network traffic to the appliance’s management interface and not exposing it to the internet, as outlined in their secure deployment guide.
In addition, the company strongly recommended that network traffic to the appliance’s management interface be separated, either physically or logically, from regular network traffic. Furthermore, the management interface should not be exposed to the internet, as outlined in their secure deployment guide.