CTX677944

CTX677944

by | Jul 9, 2024 | ALARM, ctx_adc

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2024-5491 and CVE-2024-5492

Security Bulletin | Severity: High | Created: 09 Jul 2024 | Modified: 09 Jul 2024 | Status: Final

Applicable Products

  • NetScaler Gateway
  • NetScaler

Description of Problem

Two vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer to below for further details:

Affected Versions

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-25.53
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-53.17
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.31
  • NetScaler ADC 13.1-FIPS before 13.1-37.183
  • NetScaler ADC 12.1-FIPS before 12.1-55.304
  • NetScaler ADC 12.1-NDcPP before 12.1-55.304

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities. 

This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

Summary

NetScaler ADC and NetScaler Gateway contain the vulnerabilities mentioned below 

CVE ID          DescriptionPre-requisites    CWECVSS
CVE-2024-5491Denial of ServiceADC or Gateway appliance configured with
SNMP (NSIP/SNIP)		CWE-119: Improper Restriction of Operations within the Bounds of a Memory BufferCVSS v4.0 Base Score: 7.1(CVSS:4.0/AV:A/AC:L/AT:NÅR:N/UI:N/VCH:N/VI:L/VA:H/SC:N/S:N/S:N) 
CVE-2024-5492Open redirect vulnerability allows a remote unauthenticated attacker to redirect users to arbitrary websitesRequires targeted user to access an attacker-controlled URL while being on a network with access to NSIPCWE-601: URL Redirection to Untrusted Site (‹Open Redirect›)CVSS v4.0 Base Score: 5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N)

What Customers Should Do

Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible. 

  • NetScaler ADC and NetScaler Gateway 14.1-25.53 and later releases
  • NetScaler ADC and NetScaler Gateway   13.1-53.17 and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway  13.0-92.31 and later releases of 13.0 
  • NetScaler ADC 13.1-FIPS 13.1-37.183 and later releases of 13.1-FIPS 
  • NetScaler ADC 12.1-FIPS 12.1-55.304 and later releases of 12.1-FIPS 
  • NetScaler ADC 12.1-NDcPP 12.1-55.304 and later releases of 12.1-NDcPP 

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities. 

CTX677944

CTX677100

by | Jun 11, 2024 | ALARM, ctx_workspace

XenServer and Citrix Hypervisor Security Update for CVE-2024-5661

Security Bulletin | Severity: Medium | Created: 11 Jun 2024 | Modified: 11 Jun 2024 | Status: Final

Applicable Products

  • Citrix Hypervisor

Description of Problem

An issue has been identified in both XenServer 8 and Citrix Hypervisor 8.2 CU1 LTSR which may allow a malicious administrator of a guest VM to cause the host to become slow and/or unresponsive.
This issue has the following identifier:

  • CVE-2024-5661

CVE-2024-5661 affects all deployments.

Summary

CVE IDDescriptionPre-requisitesCWECVSS
CVE-2024-5661Potential Denial of ServicePrivileged access within a guest VMCWE-7995,9

What Customers Should Do

For customers using XenServer 8, we have pushed an update to both the Early Access and Normal update channels. We recommend that customers update to the latest version from their chosen channel following the instructions at https://docs.xenserver.com/en-us/xenserver/8/update

For customers using Citrix Hypervisor 8.2 CU1 LTSR, we have released a hotfix to address this issue. We recommend that customers install this hotfix and follow the instructions in the linked article as their update schedule permits. The hotfix can be downloaded from the following location:

CTX677067- https://support.citrix.com/article/CTX677067

What Citrix is Doing

Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.

CTX677944

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549 – Denial of Service

by | Jan 16, 2024 | ALARM, ctx_adc

Description of Problem

Two vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).

Affected Versions: 

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

Summary: 

NetScaler ADC and NetScaler Gateway contain the vulnerabilities described below. 

CVE IDDescriptionPre-requisitesCWECVSS
CVE-2023-6548Authenticated (low privileged) remote code execution on Management InterfaceAccess to NSIP, CLIP or SNIP with management interface accessCWE-945.5
CVE-2023-6549Denial of ServiceAppliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual serverCWE-1198.2

Mitigating Factors

CVE- 2023- 6548 only impacts the management interface. Cloud Software Group strongly recommends that network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic. In addition, we recommend that you do not expose the management interface to the internet, as explained in the secure deployment guide. Removing such exposure to the internet greatly reduces the risk of exploitation of this issue. See NetScaler secure deployment guide ( https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html) for more information.

What Customers Should Do

Exploits of these CVEs on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible. 

  • NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
  • NetScaler ADC and NetScaler Gateway  13.1-51.15 and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0  
  • NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS  
  • NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS  
  • NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP 

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one supported version that addresses the vulnerabilities. 

CTX677944

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967

by | Okt 10, 2023 | ALARM, ctx_adc

Description of Problem

Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).

Affected Versions: 

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable.

Summary: 

NetScaler ADC and NetScaler Gateway contain unauthenticated buffer-related vulnerabilities mentioned below 

CVE IDDescriptionPre-requisitesCWECVSS
CVE-2023-4966Sensitive information disclosureAppliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual serverCWE-1199.4
CVE-2023-4967Denial of serviceAppliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual serverCWE-1198.2

What Customers Should Do

Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible: 

  • NetScaler ADC and NetScaler Gateway 14.1-8.50  and later releases
  • NetScaler ADC and NetScaler Gateway  13.1-49.15  and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0  
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS  
  • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS  
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP 

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

CTX677944

ShareFile StorageZones Controller Security Update for CVE-2023-24489

by | Aug 18, 2023 | ALARM, ctx_adc, ctx_workspace

Description of Problem

A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller.

This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24.

This bulletin only applies to customer-managed ShareFile storage zones controllers. Customers using ShareFile-managed storage zones in the cloud do not need to take any action.

The issue has been given the following identifier: 

CVE IDAffected ProductsDescriptionPre-requisitesCWECVSS
CVE-2023-24489Citrix Content CollaborationImproper resource control allows unauthenticated remote compromiseNetwork access to the ShareFile storage zones controllerCWE-2849.1

What Customers Should Do

This issue has been addressed in the following versions of the customer-managed ShareFile storage zones controller:

  • ShareFile storage zones controller 5.11.24 and later versions

Customers are required to upgrade to the fixed version.  

The latest version of ShareFile storage zones controller is available from the following location:

https://www.citrix.com/downloads/sharefile/product-software/sharefile-storagezones-controller-511.html

Instructions for upgrading the Storage Zones Controller are here:

https://docs.sharefile.com/en-us/storage-zones-controller/5-0/upgrade.html

All customer-managed ShareFile storage zones controllers versions prior to the latest version 5.11.24 have been blocked to protect our customers. Customers will be able to reinstate the storage zones controller once the update to 5.11.24 is applied.

Customers should shut down any machine that was running an affected version of the storage zones controller software.

CTX677944

Citrix ADC NetScaler and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

by | Jul 18, 2023 | ALARM, ctx_adc

Es wird empfohlen das Update sobald wie möglich einzuspielen!

Description of Problem

Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-65.36 
  • NetScaler ADC 12.1-NDcPP before 12.65.36 

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action. 

CVE IDAffected ProductsDescriptionPre-requisitesCWECVSS
CVE-2023-3466Citrix ADCReflected Cross-Site Scripting (XSS)Requires victim to access an attacker-controlled link in the browser while being on a network with connectivity to the NSIPCWE-208.3
CVE-2023-3467Citrix ADCPrivilege Escalation to root administrator (nsroot)Authenticated access to NSIP or SNIP with management interface accessCWE-2698
CVE-2023-3519Citrix ADCUnauthenticated remote code executionAppliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual serverCWE-949.8

What Customers Should Do

Exploits of CVE-2023-3519 on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible. 

  • NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0  
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS  
  • NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS  
  • NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP 

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.