Citrix patches critical NetScaler bug

Citrix has disclosed two vulnerabilities, one of them critical, in its NetScaler ADC and NetScaler Gateway products.

While the company’s advisory is light on detail, it says the two bugs are buffer-related: CVE-2023-4966, an information disclosure vulnerability which carries a critical CVSS score of 9.4; and CVE-2023-4967 (reserved but yet to be fully disclosed, a denial-of-service bug with a CVSS score of 8.2.

In both cases, the appliance is only vulnerable if it’s configured as a gateway (a VPN virtual server, an ICA proxy, a clientless access CVPN or an RDP proxy) or a AAA (authentication, authorisation, accounting) virtual server.

Fixed releases are available for affected versions of the software, except for DC and NetScaler Gateway version 12.1, which is end-of-life.

Citrix has also rolled out patches to fix a number of third-party vulnerabilities in its Hypervisor running on AMD processors.

The issues affect Citrix Hypervisor 8.2 CU1 LTSR, and may expose a system to compromise via privileged code running in a guest virtual machine (VM).

Of the five vulnerabilities discussed by Citrix, only one – CVE-2023-20588 – has been fully disclosed by AMD.

This is a “division-by-zero error on some AMD processors” which can “potentially return speculative data resulting in loss of confidentiality.”

The other vulnerabilities have CVEs reserved but not yet published: CVE-2023-34326 (compromise an AMD-based host via a passed through PCI device); CVE-2023-34324 (cause the host to crash or become unresponsive); and CVE-2023-34327 (crash a different VM running on the same host).

Note: there is apparently a typo in the Citrix advisory; one cited vulnerability, CVE-2022-1304 (compromise the host when a specific administrative action is taken), carries the CVE of a bug in e2fsprogs, according to NIST.