CVE-2023-4966:Unauthenticated sensitive information disclosure in Citrix NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

splash
Back

Description Preview

Citrix NetScaler ADC and NetScaler Gateway are affected by an unauthenticated information disclosure vulnerability when configured as Gateway services or AAA virtual servers. The issue can be exploited remotely over the network without authentication, leading to leakage of sensitive data and high impact to confidentiality and integrity, with a CVSS v3.1 base score of 9.4 (CRITICAL). Affected versions include NetScaler ADC 14.1 (patch levels older than 8.50), 13.1 (older than 49.15), 13.0 (older than 92.19), 13.1-FIPS (older than 37.164), 12.1-FIPS and 12.1-NDcPP (older than 55.300); NetScaler Gateway has the same exposure for 14.1, 13.1, and 13.0 patch levels listed.

Overview

This CVE (CVE-2023-4966) describes an unauthenticated sensitive information disclosure in Citrix NetScaler ADC and NetScaler Gateway when the devices are configured as Gateway services (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as AAA virtual servers. The vulnerability is network-accessible, requires no privileges, and needs no user interaction. It yields high confidentiality and integrity impact but a low availability impact, reflected in a CVSS v3.1 base score of 9.4 (CRITICAL). The affected versions are various older patch levels across NetScaler ADC (14.1, 13.1, 13.0, 13.1-FIPS, 12.1-FIPS, 12.1-NDcPP) and NetScaler Gateway with corresponding patch level thresholds.

Remediation

  • Apply the vendor-provided patch and upgrade to the fixed Release/Build that contains the CVE-2023-4966 fix (refer to Citrix CTX579459 for the exact patched versions).
  • If patching immediately is not possible, implement mitigations to reduce exposure: restrict Gateway access to trusted networks or VPNs, implement strict access controls and IP allowlists, disable gateway features not in use, and enforce network-level protections (firewalls/WAF rules) around the gateway endpoints.
  • After patching or applying mitigations, verify the fix by checking the device version against the patched release and, if possible, re-run relevant vulnerability scans and monitor for exploit indicators in logs. Consider rotating credentials and reviewing access logs for anomalous activity during the remediation window.

References

  • https://support.citrix.com/article/CTX579459
  • http://packetstormsecurity.com/files/175323/Citrix-Bleed-Session-Token-Leakage-Proof-Of-Concept.html

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Retail Trade: Low
    Retail Trade
  2. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  3. Finance and Insurance: Low
    Finance and Insurance
  4. Manufacturing: Low
    Manufacturing
  5. Public Administration: Low
    Public Administration
  6. Accommodation & Food Services: Low
    Accommodation & Food Services
  7. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  8. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  9. Construction: Low
    Construction
  10. Educational Services: Low
    Educational Services
  11. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  12. Information: Low
    Information
  13. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  14. Mining: Low
    Mining
  15. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  16. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  17. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  18. Transportation & Warehousing: Low
    Transportation & Warehousing
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background