ACSC flags critical vulnerabilities in Citrix products


By Dylan Bushell-Embling
Monday, 20 November, 2023

ACSC flags critical vulnerabilities in Citrix products

The Australian Cyber Security Centre (ACSC) has issued a critical vulnerability alert related to Citrix software vulnerabilities which contributed to the successful attack on DP World, operator of some of Australia’s major ports.

Two newly discovered flaws in the Citrix NetScaler ADC and NetScaler Gateway products can be exploited to respectively execute code remotely without authentication, and to obtain sensitive information disclosure and conduct session hijacking.

The vulnerabilities are present in pre-patched versions of NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases, NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1, NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0, NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS, NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS, and NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP.

Citrix released patches for the vulnerability in October, and the ACSC is urging any Australian organisations still using the affected products to apply the patches as quickly as possible. The ACSC is also recommending organisations continue monitoring for additional patch updates from Citrix.

But research suggests that DP World had failed to apply the patches before the high-profile attack which forced the company to shut down operations at its ports in Brisbane, Melbourne, Perth and Sydney for a three-day period ending on 13 November.

DP World has revealed that it is continuing to investigate the incident and conduct remediation work in the wake of the breach.

The ACSC, part of the Australian Signals Directorate, is offering to provide organisations impacted by the Citrix vulnerabilities with advice or assistance as required.

Image: DP World.

Related News

Absolute Security buys UEM experts Syxsense

Absolute Security has acquired endpoint and vulnerability management company Syxsense to enable...

Tenable upgrades Nessus risk assessment platform

Tenable has introduced new capabilities to its Nessus vulnerability assessment platform aimed at...

Rubrik teams with Cisco to enhance data security

Rubrik has arranged to have all its products made available through the Cisco SolutionsPlus...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd