CVE-2023-6549 vulnerability in Citrix Products
Published on January 17, 2024
Improper Restriction of Operations within the Bounds of a Memory Buffer in NetScaler ADC and NetScaler Gateway allows Unauthenticated Denial of Service
Known Exploited Vulnerability
This Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Citrix NetScaler ADC and NetScaler Gateway contain a buffer overflow vulnerability that allows for a denial-of-service when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
The following remediation steps are recommended / required by February 7, 2024: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2023-6549 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
What is a Buffer Overflow Vulnerability?
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
CVE-2023-6549 has been classified to as a Buffer Overflow vulnerability or weakness.
Products Associated with CVE-2023-6549
You can be notified by stack.watch whenever vulnerabilities like CVE-2023-6549 are published in these products:
What versions are vulnerable to CVE-2023-6549?
- Citrix Netscaler Gateway Version 13.0 Fixed in Version 13.0-92.21
- Citrix Netscaler Gateway Version 13.1 Fixed in Version 13.1-51.15
- Citrix Netscaler Gateway Version 14.1 Fixed in Version 14.1-12.35
- Citrix Netscaler Application Delivery Controller Version 12.1 Fixed in Version 12.1-55.302
- Citrix Netscaler Application Delivery Controller Version 12.1 Fixed in Version 12.1-55.302
- Citrix Netscaler Application Delivery Controller Version 13.1 Fixed in Version 13.1-37.176
- Citrix Netscaler Application Delivery Controller Version 13.0 Fixed in Version 13.0-92.21
- Citrix Netscaler Application Delivery Controller Version 13.1 Fixed in Version 13.1-51.15
- Citrix Netscaler Application Delivery Controller Version 14.1 Fixed in Version 14.1-12.35