We are sending you this security bulletin to inform you of an unauthenticated out-of-bounds memory read vulnerability in Citrix NetScaler ADC and Gateway. If you leverage the affected products within your environment, we strongly recommend reviewing this security bulletin and upgrading the products to mitigate the risk posed by this vulnerability.
Summary
On May 6, 2024, Bishop Fox publicly disclosed a vulnerability along with a proof of concept (PoC) exploit in Citrix NetScaler ADC and Gateway, identified as an unauthenticated out-of-bounds memory read issue in the components used for Authentication, Authorization, and Auditing (AAA). This vulnerability enables attackers to potentially retrieve sensitive data from the memory of the affected appliance including HTTP request bodies, which may contain credentials for accessing Citrix NetScaler ADC and gateway appliances, as well as cookies. A specific Common Vulnerabilities Exposures (CVE) ID for this vulnerability or Common Vulnerability Scoring System (CVSS) score is not available at this time.
Although Arctic Wolf has not observed active exploitation of this vulnerability in the wild, Bishop Fox has stated this vulnerability is nearly identical to Citrix Bleed, a critical vulnerability exploited by multiple ransomware threat actors in late 2023 to target several industries. Arctic Wolf assesses that threat actors are likely to draw their attention to this vulnerability due to the close similarities with Citrix Bleed and its potential impact upon exploitation.
Arctic Wolf will follow its standard internal processes to assess the impact of this newly reported vulnerability within its own environment and if impacted, will address it within the established remediation timelines in our Security Patching Policy.
Recommendation
Upgrade To a Fixed Version of Citrix NetScaler ADC and Gateway
Arctic Wolf strongly recommends upgrading to version 13.1-51.15 or later to address this vulnerability.
Affected Product
Affected Versions
Fixed Version
Citrix NetScaler ADC and Gateway
13.1-50.23
13.1-51.15 or later
Please follow your organization's patching and testing guidelines to avoid any operational impact.