Pierluigi Paganini January 18, 2024

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Chrome and Citrix flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

• CVE-2023-6548 – Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability.
• CVE-2023-6549 – Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability.
• CVE-2024-0519 – Google Chromium V8 Out-of-Bounds Memory Access Vulnerability.

This week Citrix warned customers to install security updates to address two actively exploited zero-day vulnerabilities, tracked as CVE-2023-6548 and CVE-2023-6549, impacting Netscaler ADC and Gateway appliances.

“Exploits of these CVEs on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.” reads the advisory.

Citrix NetScaler ADC and NetScaler Gateway contain a code injection vulnerability that allows for authenticated remote code execution on the management interface with access to NSIP, CLIP, or SNIP.

An attacker can trigger the flaw to gain remote code execution or cause a denial-of-service condition.

The vulnerability CVE-2023-6548 is an authenticated (low privileged) remote code execution affecting Management Interface. In order to exploit this issue, an attacker must have access to NSIP, CLIP or SNIP with management interface access.

The company pointed out that CVE- 2023- 6548 only impacts the management interface. Cloud Software Group strongly recommends that network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic. The vendor recommends that customers do not expose the management interface to the internet, as explained in the secure deployment guide.

The vulnerability CVE-2023-6549 is a Denial of Service. To be exploited the appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.

This week, Google released security updates to address the first Chrome zero-day vulnerability of the year that is actively being exploited in the wild.

The high-serverity vulnerability, tracked as CVE-2024-0519, is an out of bounds memory access in the Chrome JavaScript engine. The flaw was reported by Anonymous on January 11, 2024.

“The Stable channel has been updated to 120.0.6099.234 for Mac and 120.0.6099.224 for Linux and 120.0.6099.224/225 to Windows which will roll out over the coming days/weeks.” reads the security advisory published by the IT giant. “Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild.”

A remote attacker can exploit the flaw by tricking a user into visiting a crafted HTML page to potentially exploit heap corruption.

As usual, Google did not share details of the attacks that exploited the CVE-2024-0519 zero-day in the wild.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by February 2, 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)