In the past week, the following vulnerabilities have been disclosed, affecting:
- Ivanti ICS
- Ivanti Policy Secure
- Citrix NetScaler ADC
- Citrix NetScaler Gateway
Ivanti ICS & Ivanti Policy Secure
CVSS: 8.2 HIGH
CVSS: 9.1 CRITICAL
Ivanti has disclosed the existence of two significant vulnerabilities affecting their Connect Secure and Policy Secure gateways, specifically versions 9.x and 22.x.
CVE-2023-46805 is an authentication bypass vulnerability, which allows a threat actor to remotely access restricted resources by bypassing control checks. CVE-2024-21887 is a command injection vulnerability, granting an authenticated user the ability to send specially crafted requests and execute arbitrary commands on the vulnerable device.
When utilised together, a threat actor can compromise a vulnerable device and execute code with admin rights, leaving the victim company open to a significant risk of network intrusion and further criminal activity.
Palo Alto’s Unit 42 has observed over 30,000 vulnerable devices spread across 141 countries. It is actively responding to incidents involving these vulnerabilities, highlighting their use by threat actors in the wild.
Ivanti is currently working on patches to fix these vulnerabilities. In the meantime, it is recommended that the mitigations they have suggested are implemented to avoid unnecessary risk. These can be found here.
Citrix NetScaler ADC & Citrix NetScaler Gateway
CVSS: 5.5 MEDIUM
CVSS: 8.2 HIGH
Citrix has identified and disclosed further vulnerabilities in its NetScaler ADC and NetScaler Gateway products. The following supported versions are affected:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
- NetScaler ADC 13.1-FIPS before 13.1-37.176
- NetScaler ADC 12.1-FIPS before 12.1-55.302*
- NetScaler ADC 12.1-NDcPP before 12.1-55.302*
*NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable
CVE-2023-6548 allows a threat actor authenticated, low-privileged access to remotely execute code on the management interface of a compromised device. This requires them to have access to the NSIP, CLIP or SNIP which itself has management interface access.
CVE-2023-6549 applies to appliances configured as one of the following:
- VPN virtual servers
- ICA proxies
- CVPNs
- RDP proxies
- AAA virtual servers
Exploitation of this vulnerability involves a threat actor restricting operations within the memory buffer, thereby causing an unauthenticated Denial of Service attack.
A patch will follow in due course, but in the meantime, Citrix recommends the following:
- Ensure network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic
- Ensure the management interface is not exposed to the internet
- Ensure all previous patches are installed and software is up-to-date
Citrix has noted that these vulnerabilities have been observed in the wild and targeted by threat actors.