Citrix has rolled out security updates to fix two zero-day vulnerabilities in the NetScaler ADC and NetScaler Gateway appliances.
One of the flaws (CVE-2023-6548) is a code injection issue within the management interface, which can be exploited by a remote authenticated hacker for remote code execution via a specially crafted request.
The second zero-day, tracked as CVE-2023-6549, a buffer overflow issue that can be used to trigger a denial of service (DoS). A remote attacker can send specially crafted packets to the system, trigger memory corruption and perform a denial of service (DoS) attack. Successful exploitation of this vulnerability requires that the device be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAAvirtualserver.
The flaws affect the following products:
NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
NetScaler ADC and NetScaler Gateway 13.1-51.15 and later releases of 13.1
NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP
“Exploits of these CVEs on unmitigated appliances have been observed,” Citrix noted in a security advisory, urging customers to install updated versions of NetScaler ADC and NetScaler Gateway as soon as possible.
Separately, Google released security updates for its Chrome browser to patch several high-risk vulnerabilities, including a zero-day bug actively exploited in the wild.
