Citrix has released a security advisory to address vulnerabilities discovered in their widely-used NetScaler products. The vulnerabilities, tracked as CVE-2024-6235 and CVE-2024-6236, could allow unauthorized access to sensitive information and even cause denial-of-service (DoS) attacks.
Information Disclosure
This vulnerability tracked as CVE-2024-6235 rated with a CVSSv4 score of 9.4, impacts the NetScaler Console. It could enable attackers to gain unauthorized access to confidential data, potentially exposing trade secrets, customer information, or other sensitive assets.
Denial of Service
This vulnerability tracked as CVE-2024-6236 with a CVSSv4 score of 7.1, affects NetScaler Console, NetScaler SVM, and NetScaler Agent. Attackers exploiting this flaw could disrupt the normal operation of NetScaler services, leading to downtime and potential financial losses for affected organizations.
Multiple versions of NetScaler Console, SVM, and Agent is susceptible to these vulnerabilities. Cloud Software Group strongly urges users to immediately update their NetScaler software to the latest patched versions provided in the advisory.
The specific patched versions for each product are:
- NetScaler Console: 14.1-25.53 or later for 14.1, 13.1-53.22 or later for 13.1, and 13.0-92.31 or later for 13.0
- NetScaler SVM: 14.1-25.53 or later for 14.1, 13.1-53.17 or later for 13.1, and 13.0-92.31 or later for 13.0
- NetScaler Agent: 14.1-25.53 or later for 14.1, 13.1-53.22 or later for 13.1, and 13.0-92.31 or later for 13.0
Citrix has also warned users of two vulnerabilities (CVE-2024-6286 and CVE-2024-6151) found in the Citrix Workspace app for Windows and the Virtual Delivery Agent for Windows. Both vulnerabilities have been assessed with a high severity CVSSv4 score of 8.5.
