Exploited Unauthenticated RCE Vulnerability CVE-2023-6548 in Citrix NetScaler ADC and NetScaler Gateway

New intelligence shows that exploitation of this RCE vulnerability does not require authentication

Threat ID:: CC-4525
Threat Severity:: High
Published:: 17 July 2024 1:05 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

New intelligence shows that exploitation of this RCE vulnerability does not require authentication

Affected platforms

The following platforms are known to be affected:

NetScaler

14.1 before 14.1-12.35
13.1 before 13.1-51.15
13.0 before 13.0-92.21
13.1-FIPS before 13.1-37.176
12.1-FIPS before 12.1-55.302
12.1-NDcPP before 12.1-55.302
Version 12.1 is now End Of Life (EOL) and is also vulnerable

NetScaler Gateway

14.1 before 14.1-12.35
13.1 before 13.1-51.15
13.0 before 13.0-92.21
Version 12.1 is now End Of Life (EOL) and is also vulnerable

Threat details

Exploitation of CVE-2023-6548

Citrix has reported that CVE-2023-6548 is actively being exploited in the wild.

Introduction

The NHS England National Cyber Security Operations Centre (CSOC) is aware of intelligence provided by CrowdStrike that contrary to Citrix’s initial disclosure, the vulnerability known as CVE-2023-6548 does not require user privileges for exploitation. NHS England National CSOC now assesses CVE-2023-6548 as a critical vulnerability that can allow a remote, unauthenticated attacker to execute remote code on a vulnerable NetScaler Gateway or NetScaler ADC device.

CVE-2023-6548 has two different CVSSv3 scores attributed to it. The NIST National Vulnerability Database (NVD) has classified it as having a score of 8.8, while Citrix rates the vulnerability at 5.5. The weakness is Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway and could allow a remote, unauthenticated attacker with access to the management interface to execute arbitrary code.

Reassessment of CVE-2023-6548

Citrix originally published a security advisory for CVE-2023-6548 and CVE-2023-6549 in January 2024, and Cyber Alert CC-4439 was published with medium severity. Following intelligence supplied by CrowdStrike, this Cyber Alert is being published at high severity reflecting the increased risk presented by the vulnerability.

The remediation advice given in January 2024 was to update to the most current versions of software listed in the CTX584986. As other builds have been released since then, the revised remediation is to update to the most recent version of the software.

Remediation advice

Due to the change of severity of this vulnerability, affected organisations must update to the most recent version available, which for July 2024 include:

14.1 build 25.56
13.1 build 53.24
13.0 build 92.31

Affected organisations are also highly encouraged to review and implement the guidance provided in Citrix’s NetScaler Secure Deployment Guide

Remediation steps

Type	Step
Patch	Release notes for NetScaler software version 14.1 https://docs.netscaler.com/en-us/citrix-adc/current-release/citrix-adc-release-notes.html
Patch	Release notes for NetScaler software version 13.1 https://docs.netscaler.com/en-us/citrix-adc/13-1/citrix-adc-release-notes.html
Patch	Release notes for NetScaler software version 13.0 https://docs.netscaler.com/en-us/citrix-adc/13/citrix-adc-release-notes.html

Definitive source of threat updates

https://support.citrix.com/s/article/CTX584986-netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549

CVE Vulnerabilities

Status Published

CVE-2023-6548

Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on Management Interface.

CVSS scores:

NIST: NVD Base Score: 8.8 HIGH Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CNA: Citrix Systems, Inc. Base Score: 5.5 MEDIUM Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Last edited: 17 July 2024 1:05 pm