Two vulnerabilities were disclosed by Citrix, which were CVE-2023-4966 and CVE-2023-4967, with critical and high severities, respectively. Of these two, CVE-2023-4966 has been released with a publicly available PoC. This vulnerability is associated with a sensitive information disclosure score of 9.4 (Critical).
This vulnerability existed in the Citrix Netscaler ADC and Netscaler Gateway versions before their latest release. However, Citrix has fixed this vulnerability, and patches have been issued.
CVE-2023-4966 – Proof of Concept
For diving deep, the vulnerable devices were looked upon inside the /netscaler/nsppe, the Netscaler packet processing engine containing the complete TCP/IP network stack and multiple HTTP services.
Additionally, the Ghidra tool was used to decompile the nsppe, and BinExport to create a BinDiff file. Comparing the compiled BinDiff file of two vulnerable devices, there were more than 50 different functions.
Two functions, ns_aaa_oauth_send_openid_config and ns_aaa_oauthrp_send_openid_config, were found to perform the same function to implement the OpenID Connect Discovery endpoint. Both of these functions are accessible without authentication.
Exploitation
The vulnerability existed on the return value of snprintf, which determines the number of bytes to send for the ns_vpn_send_response. As part of exploitation, snprintf is supplied with an exceeded buffer size of 0x20000 bytes.
Furthermore, a complete Proof of Concept report has been published by AssetNote, providing detailed information on the exploitation methods, detailed steps, and others.
Affected Products
| CVE ID | Affected Products | Fixed in Version |
| CVE-2023-4966 | NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50 | NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases |
| NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15 | NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1 | |
| NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19 | NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0 | |
| NetScaler ADC 13.1-FIPS before 13.1-37.164 | NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS | |
| NetScaler ADC 12.1-FIPS before 12.1-55.300 | NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS | |
| NetScaler ADC 12.1-NDcPP before 12.1-55.300 | NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP |
Users of these products are recommended to upgrade to the latest versions of these products to prevent these vulnerabilities from getting exploited.
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.