On June 17th, a vulnerability was reported found in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). The critical vulnerability allows an unauthenticated attacker to run memory overread and extract sensitive information over the network.

Threat Intelligence assessment

Citrix represents an attack surface that we have observed attackers adapt to rapidly, and we assess that there is a risk that the vulnerability will be exploited in the wild in the near term.

It is important to note that, as of now, no public proof-of-concept or technical reporting of the vulnerability is known.

At this time, there is limited information available regarding the vulnerability. However, according to Citrix, it has so far not been actively exploited. Citrix's advisory provides no information regarding the exploitation surface other than noting it is remotely exploitable.

NIST's description of the vulnerability implies that access to the administrator interface is required. At this time, we are not sure if NIST is misinformed or Citrix have forgotten to give that information in their advisory.

Affected systems

A prerequisite is that NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

The following versions are affected:

• NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
• NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
• NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
• NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS

Recommendations

Given the mixed signals regarding the likelihood that the vulnerability can be exploited, we recommend treating the vulnerability as severe, and assume it is remotely exploitable without requiring access to the management interface. See also Netscaler's advisory for further details.

We also recommend the following:

• Run the following commands to terminate all active ICA and PCoIP sessions after upgrading to fixed builds: "kill icaconnection -all", "kill pcoipConnection -all"
• Restrict network access to the NetScaler Management Interface (NSIP, Cluster IP, GSLB IP)
• Implement segmentation and firewall rules to limit unnecessary exposure of services
• Monitor logs closely for unusual access patterns targeting management ports