Citrix Bleed was assigned a CVSS score of 9.4/10, making it a high-severity, critical information disclosure vulnerability. Much like this vulnerability, Citrix Bleed’s exploit was only possible in the instances where NetScaler ADC and Gateway devices were configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
This bug’s inability to expose data with very high sensitivity separates it from CVE-2023-4966. “This bug is nearly identical to the Citrix Bleed vulnerability (CVE-2023-4966), except it is less likely to return highly sensitive information to an attacker,” the blog added.
Citrix silently patched the flaw
While the vulnerability has not been assigned a CVE ID, probably because Citrix has made no public disclosure about the vulnerability until now, it was observed to be fixed in NetScaler version 13.1-51.15.
There is speculation that the company has silently addressed the issue without making any disclosures. Bishop Fox urged users to update to version 13.1-51.15 or later as a solution to this vulnerability.
“The vulnerability allows an attacker to recover potentially sensitive data from memory,” Bishop Fox added. “Although in most cases nothing of value is returned, we have observed instances where POST request bodies are leaked. These POST requests may contain credentials or cookies.” It is unclear whether Citrix had disclosed this vulnerability privately to its customers or had even acknowledged the issue raised by Bishop Fox as a vulnerability.