On November 12, 2024, Cloud Software Group released builds to fix CVE-2024-8534 and CVE-2024-8535, which affect NetScaler ADC and NetScaler Gateway.
CVE-2024-8534
This vulnerability is a memory safety vulnerability, and successful exploitation can lead to memory corruption and denial of service. In order for this vulnerability to be exploited any of the following conditions must be met:
- The ADC must be configured as a gateway (VPN vServer) and the RDP feature must be enabled
- The ADC must be configured as a gateway (VPN vServer) and the RDP Proxy Server Profile needs to be created and set to gateway (VPN vServer)
- The ADC must be configured as an authentication server (AAA vServer) with the RDP feature enabled
The CVSS score for this vulnerability is 8.4.
By inspecting the ns.conf file for the specified strings, you can determine if you have an ADC configured as a gateway (VPN vServer or AAA vServer) with either the RDP feature enabled or an RDP Proxy Server Profile created:
A gateway (VPN Vserver) with the RDP feature enabled:
enable ns feature.*rdpproxy
add vpn vserver
A gateway (VPN Vserver) with an RDP Proxy Server Profile created and set to the Gateway (VPN Vserver):
add rdp serverprofile
add vpn vserver
An authentication server (AAA Vserver) with the RDP feature enabled:
enable ns feature.*rdpproxy
add authentication vserver
No mitigation is available for this vulnerability, so we strongly recommend that you immediately install the recommended builds if you’re using the affected builds.
CVE-2024-8535
This vulnerability arises due to a race condition leading to an authenticated user getting unintended user capabilities. In order for this vulnerability to be exploited, any of the following conditions must be met:
- The ADC must be configured as a gateway (SSL VPN, ICA Proxy, CVPN, or RDP Proxy) with KCDAccount configuration for Kerberos SSO to access backend resources.
- The ADC must be configured as an authentication server (AAA vServer) with KCDAccount configuration for Kerberos SSO to access backend resources.
The CVSS score for this vulnerability is 5.8.
You can determine if you have an ADC with KCDAccount configuration for Kerberos SSO to access backend resources by inspecting the ns.conf file for the following string:
add aaa kcdaccount
No mitigation is available for this vulnerability, so we strongly recommend that you immediately install the recommended builds if you’re using the affected builds.
Additionally, after upgrading to the fixed version, you must modify the device configuration to ensure that all previously created sessions are flushed out of system memory if the appliances have been configured in HA or cluster mode. Here’s the shell command to do that:
nsapimgr_wr.sh -ys call=ns_aaa_flush_kerberos_tickets
If NetScaler ADCs have been configured in HA mode, then the provided shell command must be executed in HA mode: first on the primary node and later on the secondary node.
If NetScaler ADCs have been configured in a cluster, then the provided shell command must be executed on each node post-upgrade.
For both CVE-2024-8534 and CVE 2024-8535, the following versions of NetScaler ADC and NetScaler Gateway are impacted:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-29.72
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-55.34
- NetScaler ADC 13.1-FIPS before 13.1-37.207
- NetScaler ADC 12.1-FIPS before 12.1-55.321
- NetScaler ADC 12.1-NDcPP before 12.1-55.321
Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the following updated versions as soon as possible.
- NetScaler ADC and NetScaler Gateway 14.1-29.72 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-55.34 and later releases of 13.1
- NetScaler ADC 13.1-FIPS 13.1-37.207 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.321 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.321 and later releases of 12.1-NDcPP
You can find more details in the security bulletin. Additionally, please also refer to the updated NetScaler Security Advisory.
Update installation
Download permanent fixes for NetScaler ADC and NetScaler Gateway
NetScaler and Citrix are both part of Cloud Software Group, and we share the same ticketing system. If you encounter issues when you are updating your affected builds, please contact Citrix Customer Support, irrespective of whether your product includes NetScaler branding or Citrix branding.