NetScaler Console, Agent and SVM Security Bulletin for CVE-2024-6235 and CVE-2024-6236
Description of Problem
Two vulnerabilities have been discovered in NetScaler Console (formerly NetScaler ADM), NetScaler SVM, and NetScaler Agent. Refer to below for further details:
Affected Versions
The following supported version of NetScaler Console (formerly NetScaler ADM) is affected by CVE-2024-6235:
- NetScaler Console 14.1 before 14.1-25.53
The following supported versions of NetScaler Console, NetScaler Agent and NetScaler SVM are affected by CVE-2024-6236:
- NetScaler Console 14.1 before 14.1-25.53
- NetScaler Console 13.1 before 13.1-53.22
- NetScaler Console 13.0 before 13.0-92.31
- NetScaler SVM 14.1 before 14.1-25.53
- NetScaler SVM 13.1 before 13.1-53.17
- NetScaler SVM 13.0 before 13.0-92.31
- NetScaler Agent 14.1 before 14.1-25.53
- NetScaler Agent 13.1 before 13.1-53.22
- NetScaler Agent 13.0 before 13.0-92.31
This bulletin only applies to the customer-managed NetScaler Console. Customers using Citrix-managed NetScaler Console Service do not need to take any action.
Summary
NetScaler Console contains the vulnerabilities mentioned below
CVD-ID | Description | Pre-Requisites | Affected Products | CWE | CVSS |
CVE-2024-6235 | Sensitive information disclosure | Access to NetScaler Console IP |
NetScaler Console | CWE-287: Improper Authentication | CVSS v4.0 Base Score: 9.4 |
CVE-2024-6236 |
Denial of |
Access to NetScaler |
NetScaler Console, NetScaler Agent, NetScaler SVM | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer |
CVSS v4.0 Base Score: 7.1 |
What Customers Should Do
Cloud Software Group strongly urges customers of NetScaler Console to install the relevant updated versions of NetScaler Console as soon as possible:
- NetScaler Console 14.1-25.53 and later releases of 14.1
- NetScaler Console 13.1-53.22 and later releases of 13.1
- NetScaler Console 13.0-92.31 and later releases of 13.0
- NetScaler SVM 14.1-25.53 and later releases of 14.1
- NetScaler SVM 13.1-53.17 and later releases of 13.1
- NetScaler SVM 13.0-92.31 and later releases of 13.0
- NetScaler Agent 14.1-25.53and later releases of 14.1
- NetScaler Agent 13.1-53.22 and later releases of 13.1
- NetScaler Agent 13.0-92.31and later releases of 13.0
More information
https://support.citrix.com/article/CTX677998/netscaler-console-agent-and-svm-security-bulletin-for-cve20246235-and-cve20246236
For assistance from the Kraft Kennedy team, please contact us.