CVE-2024-0204: Authentication Bypass Vulnerability in Fortra GoAnywhere MFT
by George Glass
Note: These vulnerabilities remain under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.
Two vulnerabilities have been detected in in Citrix NetScaler ADC and NetScaler Gateway. These vulnerabilities are being tracked as CVE-2023-6549 and CVE-2023-6548 with CVSS scores of 8.2 and 5.5 respectively. They are under active exploitation, affecting the following product versions:
Citrix published security updates for these vulnerabilities and those fixes should be applied immediately.
Citrix did not provide additional details about the attacks in the wild, so it is unknown when the attacks started.
According to Citrix, customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action. It is not clear if the vulnerabilities previously affected the cloud platforms but have since been mitigated.
CVE-2023-6549 is a zero-day vulnerability with a high potential for exploitation. If exploited, this vulnerability could allow an attacker to perform a denial of service on an appliance configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
CVE-2023-6548 is a zero-day vulnerability that allows an authenticated attacker with low privileges access to NSIP, CLIP or SNIP Management Interface to perform remote code execution on the Management Interface.
CVE- 2023- 6548 only impacts the Management Interface. Citrix strongly recommends that network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic. Do not expose the Management Interface to the internet. See NetScaler secure deployment guide for more information.
Our Cyber Threat Intelligence (CTI) team recommends the following:
Install the relevant updated versions as soon as possible:
Note: NetScaler ADC and NetScaler Gateway version 12.1 are now end of life (EOL). Customers are recommended to upgrade their appliances to one of the above supported versions that addresses the vulnerabilities.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll’s elite security leaders deliver rapid responses for over 3,000 incidents per year and have the resources and expertise to support the entire incident lifecycle.
World-renowned cyber investigators and leading technology fuel Kroll’s managed security services, augmenting security operations centres and incident response capabilities.
by George Glass
by George Glass, Ryan Hicks
by George Glass, Ryan Hicks, Mikesh Nagar