Today, CISA ordered U.S. federal agencies to secure their systems against three recently patched Citrix NetScaler and Google Chrome zero-days actively exploited in attacks, pushing for a Citrix RCE bug to be patched within a week.
The cybersecurity agency added the flaws to its Known Exploited Vulnerabilities Catalog today, saying that such vulnerabilities are “frequent attack vectors for malicious cyber actors” that pose “significant risks to the federal enterprise.”
Citrix urged customers on Tuesday to immediately patch Internet-exposed Netscaler ADC and Gateway appliances against the CVE-2023-6548 code injection vulnerability and the CVE-2023-6549 buffer overflow impacting the Netscaler management interface that could be exploited for remote code execution and denial-of-service attacks, respectively.
Those who can’t immediately install the security updates can block network traffic to affected instances and ensure they’re not accessible online as a temporary workaround. According to the Shadowserver threat monitoring platform, more than 51,000 Netscaler appliances are exposed online right now, with only 1,500 having their management interfaces accessible over the Internet.
CISA also added the CVE-2024-0519 out-of-bounds memory access in the Chromium V8 JavaScript engine to its KEV list today. This is the first Chrome zero-day exploited in the wild patched by Google this year.
One week to secure vulnerable NetScaler instances
After their inclusion in CISA’s KEV list, U.S. Federal Civilian Executive Branch Agencies (FCEB) must patch devices vulnerable devices on their networks within a specific timetable, as mandated by a binding operational directive (BOD 22-01) issued three years ago.
Out of the three now-patched zero-days, the cybersecurity agency wants the CVE-2023-6548 vulnerability impacting NetScaler ADC and Gateway management interfaces to be patched within a week by next Wednesday, January 24.
The other two, the CVE-2023-6549 NetScaler buffer overflow and the CVE-2024-0519 Google Chrome bug, must be mitigated within three weeks by February 7.
Although CISA did not explain the expedited CVE-2023-6548 patch process, Citrix’s warning that customers should secure vulnerable appliances as soon as possible and the bug’s management interface impact likely played a significant role.
Even though BOD 22-01 applies only to U.S. federal agencies, CISA urged all organizations (including private companies) to prioritize patching these security flaws as soon as possible.