Critical vulnerabilities found in NetScaler ADC

Web application security specialists report the presence of a serious security flaw in Citrix NetSclaer/ADC that, if exploited, could allow an unauthenticated threat actor to perform arbitrary code execution on the target system.

The details revealed so far by Citrix are still minimal, although multiple web application security firms mention the identification of at least three components exposed to the exploitation of this flaw; the combination of the three vulnerable elements allows code execution attacks on the target NetScaler/ADC device.

Vulnerabilities allow threat actors to bypass a security layer (or authorization restriction) for creating a file with user-controlled content, which will then be processed using a server-side scripting language. There may be other ways to perform arbitrary code execution, so system administrators are advised to remain alert to new reports.

All supported product versions of Citrix ADC (formerly NetScaler) and Citrix Gateway are affected, web application security experts report. An attacker with access to the affected system’s web interface could exploit the flaw to take control of the system, access private network resources and perform many other malicious tasks by hijacking authenticated user sessions or stealing credentials a user’s login.

The company recommends to its users the implementation of a specific response policy to filter out possible exploitation attempts. In addition, specialists at the International Institute of Cyber Security (IICS) recommend that system administrators apply the mitigations necessary to reduce the risk of exploitation while security updates issued by the company are available.

Tripwire IP360 starting with ASPL-865 contains remote heuristic detection of the vulnerable service. External attempts to exploit this flaw will likely include HTTP requests with ‘/.. /’ and ‘/vpns/’ in the URL. This was noted in the mitigation steps suggested by Citrix. Administrators should also watch for requests with custom headers that contain walk patterns (for example, ‘/.. /’).