The US CISA has added two new security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. These vulnerabilities are:
- CVE-2023-4966: Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
- CVE-2023-1435: Cisco IOS XE Web UI Command Injection Vulnerability
Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability
The flaw has the potential to disclose sensitive information from the affected appliances, thereby possibly laying the groundwork for more advanced and devastating attacks. The flaw exclusively affects appliances configured as Gateways or an AAA virtual server. Its exploitation does not necessitate user interaction, high privileges, or a high degree of complexity—making it especially dangerous. The concerning bit? Citrix hasn’t detailed the exact information that could be exposed, leaving organizations in a precarious position.
Cisco IOS XE Web UI Command Injection Vulnerability
This vulnerability provides attackers a door into the system, permitting them to inject arbitrary commands, all executable as the all-powerful root user. At its core, this vulnerability stems from poor input validation. An attacker, after gaining authentication, can craft a malicious request containing arbitrary commands. Once processed, these commands are executed with root privileges. Highlighting the urgency of this situation, Cisco’s PSIRT noted real-world attempts to exploit this vulnerability in October 2023. Cisco, being proactive, has already rolled out software updates addressing this flaw.
All Federal Civilian Executive Branch (FCEB) agencies are advised to apply the provided fixes by November 8 and 9, 2023. While this directive is for federal agencies, all organizations using these products should heed the call and take immediate action.