DIVD-2024-00018 - Out-Of-Bounds memory read vulnerability in Citrix Netscaler and Gateway

Our reference DIVD-2024-00018
Case lead Stan Plasmeijer
Researcher(s)
CVE(s)
Products
  • Citrix NetScaler ADC and Citrix NetScaler Gateway products (VPN virtual server, ICA Proxy, CVPN, RDP Proxy)
Versions
  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302
  • NetScaler ADC and NetScaler Gateway version 12.1 and before
Recommendation If any of the mentioned vulnerable versions is used, it's recommend to update to atleast a patched version. When version 12.1 or before is used, an upgrade is needed.
Patch status Released
Status Closed
Last modified 13 Jul 2024 13:04 CEST

Summary

In Citrix Netscaler and Gateway products (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), an Out-Of-Bounds Memory Read vulnerability has been found by BishopFox. This vulnerability allows malicious actors to read information from memory, although they cannot do so in a controlled manner. BishopFox has found instances where the disclosed memory contained data from HTTP requests, sometimes including POST request bodies.

BishopFox discovered the vulnerability on January 22 and publicy disclosed it on May 6, 2024. Citrix has updated CVE-2023-6549 to include this out-of-bounds memory read vulnerability.

Recommendations

If a vulnerable Citrix version is used, it is recommended to update it to the latest possible version.

Should an end-of-life version be used, we recommend upgrading the Citrix instance.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of Citrix that contains this vulnerability and notify these parties. We do this by checking whether the Citrix instance has been patched for the vulnerability, for this we are using a minimized Proof-of-Concept (PoC). The minimized PoC, doesn’t return any information.

Timeline

Date Description
08 May 2024 DIVD starts researching the vulnerability.
08 May 2024 DIVD finds fingerprint, preparing to scan.
08 May 2024 DIVD starts scanning the internet for vulnerable instances.
17 Jun 2024 Case opened, first version of this casefile
17 Jun 2024 DIVD starts scanning the internet for vulnerable instances.
21 Jun 2024 First round of notifications sent out
13 Jul 2024 DIVD rescans the internet for vulnerable instances
13 Jul 2024 DIVD starts notifying network owners with a vulnerable instance for the second time
13 Jul 2024 Case closed
gantt title DIVD-2024-00018 - Out-Of-Bounds memory read vulnerability in Citrix Netscaler and Gateway dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00018 - Out-Of-Bounds memory read vulnerability in Citrix Netscaler and Gateway (66 days) :2024-05-08, 2024-07-13 section Events DIVD starts researching the vulnerability. : milestone, 2024-05-08, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2024-05-08, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-05-08, 0d Case opened, first version of this casefile : milestone, 2024-06-17, 0d DIVD starts scanning the internet for vulnerable instances. : milestone, 2024-06-17, 0d First round of notifications sent out : milestone, 2024-06-21, 0d DIVD rescans the internet for vulnerable instances : milestone, 2024-07-13, 0d DIVD starts notifying network owners with a vulnerable instance for the second time : milestone, 2024-07-13, 0d Case closed : milestone, 2024-07-13, 0d

More information