- 253/2023
- Critical
Citrix has released security updates to address multiple vulnerabilities across Citrix NetScaler ADC and NetScaler Gateway.
The addressed vulnerabilities could allow the remote unauthenticated attacker to trigger a denial of service attack or obtain sensitive information from the affected product if configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server for it to be vulnerable to attacks.
The addressed vulnerabilities:
1. Citrix NetScaler ADC and NetScaler Gateway Information Disclosure (CVE- 2023-4966):
- CVSS: 9.4
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Obtain Information
2. Citrix NetScaler ADC and NetScaler Gateway Denial of Service (CVE-2023- 4967):
- CVSS: 8.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
It should be highlighted that NetScaler ADC and NetScaler Gateway version 12.1 have reached their end-of-life (EOL) date and will no longer be supported by Citrix.
Vulnerabilities
- CVE-2023-4966
- CVE-2023-4967
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.