1. Summary
| Vulnerability Name |
Citrix NetScaler ADC and NetScaler Gateway Denial of Service Vulnerability (CVE-2023-6549) |
|---|---|
| Release Date |
January 18, 2024 |
| Component Name |
NetScaler ADC and NetScaler Gateway |
| Affected Versions |
NetScaler ADC & NetScaler Gateway 14.1 < 14.1-12.35 |
| Vulnerability Type |
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer |
| Severity |
CVSS v3 Base Score: 8.2 (High) |
| Exploitability |
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None |
| Impact |
Confidentiality Impact: None Integrity Impact: Low Availability Impact: High |
2. About CVE-2023-6549
2.1 About the Component
NetScaler ADC is an application delivery and load-balancing solution that ensures security, visibility, and availability. Citrix NetScaler Gateway offers a secure solution for remote access, enabling users to access applications and data from any location.
2.2 About the Vulnerability
On January 18, 2024, Sangfor FarSight Labs received notification of a denial of service vulnerability (CVE-2023-6549) in Citrix NetScaler ADC and NetScaler Gateway, classified as high severity (CVSS Score 8.2) by Citrix.
This vulnerability is caused by an improper limit on the number of requests processed by the server. Attackers can exploit this vulnerability by crafting malicious data to launch DoS attacks without authorization, thereby causing the server to crash.
CVE-2023-6549 was added to CISA’s Known Exploited Vulnerabilities Catalog on January 17, 2024.
3. Affected Versions
NetScaler ADC & NetScaler Gateway 14.1 < 14.1-12.35
NetScaler ADC & NetScaler Gateway 13.1 < 13.1-51.15
NetScaler ADC & NetScaler Gateway 13.0 < 13.0-92.21
NetScaler ADC 13.1-FIPS < 13.1-37.176
NetScaler ADC 12.1-FIPS < 12.1-55.302
NetScaler ADC 12.1-NDcPP < 12.1-55.302
Note: NetScaler ADC and NetScaler Gateway version 12.1 are now End Of Life (EOL) and are vulnerable.
4. Solutions
4.1 Remediation Solutions
4.1.1 Official Solution
Citrix has released new versions of NetScaler ADC & NetScaler Gateway, and affected users are strongly recommended to update to the latest version to fix the vulnerability. For more information, visit https://www.citrix.com/downloads/
5. Timeline
On January 18, 2024, Sangfor FarSight Labs received notification of a Citrix NetScaler ADC and NetScaler Gateway denial of service vulnerability (CVE-2023-6549).
On January 18, 2024, Sangfor FarSight Labs released a vulnerability alert.
6. References
https://nvd.nist.gov/vuln/detail/CVE-2023-6549
7. About Sangfor FarSight Labs
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
