CVE-2023-6549
Published: 17 January 2024
Summary
CVE-2023-6549 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Citrix Netscaler Application Delivery Controller. Its CVSS base score is 8.2 (High).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2023-6549 is an improper restriction of operations within the bounds of a memory buffer, tracked as CWE-119, that affects NetScaler ADC and NetScaler Gateway. The flaw permits an unauthenticated remote attacker to trigger a denial of service and perform an out-of-bounds memory read, reflected in its CVSS 3.1 score of 8.2 with network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated attacker with network access can send crafted requests that exploit the memory-handling defect, resulting in service disruption and limited information disclosure through the out-of-bounds read. No authentication or user interaction is needed, enabling remote exploitation against exposed appliances.
Citrix has published security bulletin CTX584986 that addresses both CVE-2023-6548 and CVE-2023-6549, and the vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation and the need for prompt remediation through the vendor-supplied updates.
The associated EPSS score stands at 0.8024 with an identical peak value, indicating sustained exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-58779
Vulnerability details
Improper Restriction of Operations within the Bounds of a Memory Buffer in NetScaler ADC and NetScaler Gateway allows Unauthenticated Denial of Service and Out-Of-Bounds Memory Read
- CWE(s)
- KEV Date Added
- 17 January 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of network-supplied inputs to NetScaler to ensure all operations stay within allocated memory buffer bounds, directly blocking the crafted requests that trigger the CWE-119 flaw.
Requires hardware or software memory protection mechanisms that detect and block out-of-bounds reads/writes, mitigating the exact buffer violation exploited for unauthenticated DoS.
Mandates denial-of-service protection controls that limit the impact of resource exhaustion caused by the out-of-bounds memory read on NetScaler ADC/Gateway.