> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
Citrix NetScaler ADC is a high-performance application delivery and load balancing solution that boosts application availability, speed, and security.
NetScaler Gateway provides secure remote access, ensuring users can connect to corporate resources from anywhere.
Recently, Citrix released a security patch addressing a sensitive information disclosure vulnerability that could expose session tokens.
Our security analysis at Chaitin Tech found that this issue can be exploited through a buffer overflow, making it possible for attackers to steal active user tokens β and potentially gain internal network access.
Vulnerability Overview
The flaw lies in how Citrix NetScaler ADC and NetScaler Gateway handle the OpenID Connect Discovery endpoint.
When processing an HTTP request with an unusually large Host header, the buffer management logic fails, triggering a buffer overflow.
Impact:
- Leaked sensitive data such as session tokens.
- An attacker with a valid stolen token can bypass perimeter security and access internal systems.
Detection Tools
X-POC Remote Detection Tool
Run locally to scan a target:
xpoc -r 412 -t http://xpoc.org
Download:
Affected Versions
The following customer-managed NetScaler ADC and NetScaler Gateway versions are vulnerable:
-
14.1 before
14.1-8.50 -
13.1 before
13.1-49.15 -
13.0 before
13.0-92.19 -
13.1-FIPS before
13.1-37.164 -
12.1-FIPS before
12.1-55.300 -
12.1-NDcPP before
12.1-55.300
β οΈ Note: Version 12.1 is end-of-life (EOL) and remains vulnerable.
Citrix-managed cloud services and Citrix-managed Adaptive Authentication are not affected.
Solution
Upgrade immediately to the fixed versions released by Citrix:
https://support.citrix.com/
Delaying patching puts your internal systems at risk of compromise.
Product Support
- Yuntu: Supports fingerprint recognition and PoC-based detection of this vulnerability.
- Dongjian: Support rollout in progress.
- SafeLine WAF: Virtual patch released to detect exploitation attempts.
- Quanxi: Rules update package expected before Oct 26 to detect exploitation behavior.
Timeline
- Oct 24 β Vulnerability intelligence publicly disclosed online.
- Oct 25 β Chaitin Emergency Response Lab analyzed and reproduced the issue.
- Oct 25 β Chaitin Security Emergency Response Center published advisory.
References
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
Top comments (0)