The American software company Citrix has released a security patch that fixes three vulnerabilities in NetScaler ADC and NetScaler Gateway. As a result, it was possible to obtain administrator rights and then steal sensitive information. Since these are critical exploits, the company recommends installing the updates immediately.
Citrix and the National Cyber Security Center (NCSC) write this in a Security Advisory.
Here’s what you need to know about NetScaler
NetScaler is a product group of Citrix that allows companies and organizations to optimize applications and services. For example, if someone purchases online, trades shares or makes a video call with a general practice. In this way, the software company tries to improve the user experience at other parties, which in turn leads to more satisfied customers and higher turnover. System administrators use NetScaler to find problems faster and more efficiently in their applications.
Two applications from this product family, NetScaler ADC and NetScaler Gateway, contain multiple vulnerabilities.
Cross-site scripting, root privileges and RCE
Hackers and cybercriminals could exploit these exploits to conduct a cross-site scripting attack ( XSS). This is an attack in which malicious code is injected into a trusted site so that the victim can see the content of a rogue site. This gives malicious parties access to session tokens, passwords and other sensitive information stored by a web browser. Attackers can also use this method to distribute malware or obtain user data.
The exploits also made it possible to obtain root privileges to steal confidential data and remotely perform unauthorized Remote Code Execution (RCE). The condition is that vulnerable systems are configured as gateways (VPN Virtual Server, ICA Proxy, CVPN or RDP Proxy).
Vulnerabilities labelled as critical
The vulnerabilities – also known as CVE-2023-3466, CVE-2023-3467 and CVE-2023-3519 – have a CVSS score of 8.3, 8.0 and 9.8, respectively. CVSS stands for Common Vulnerability Scoring System and indicates the severity of an exploit. The higher this number, the greater the risk that companies run. For that reason, the bugs have been labelled as ‘critical/high’.There is no evidence that hackers have exploited the vulnerabilities listed above to break into company networks and steal confidential company data. If system administrators or other IT staff do not close the gaps quickly, there is a real chance that this will happen, warns Citrix.
The software company is grateful to security experts Wouter Rijkbost and Jorren Geurts of the cybersecurity agency Resillion for discovering and reporting the vulnerabilities.
Update: Z-CERT, the Computer Emergency Response Team of the Dutch healthcare sector, warns healthcare institutions about the dangers of the vulnerabilities in the NetScaler products. “Due to the seriousness of this vulnerability, Z-CERT advises healthcare organizations to install the made available security update as soon as possible,” the agency writes in a press release.