Description of Problem
A number of security vulnerabilities have been identified in Citrix NetScaler Application Delivery Controller (ADC).
These vulnerabilities have been assigned the following CVE numbers:
??é·‰G CVE-2013-6939: Denial of service vulnerability in Citrix NetScaler Application Delivery Controller RADIUS authentication
??é·‰G CVE-2012-2141: Array index error in the handle_nsExtendOutput2Table function in agent/mibgroup/agent/extend.c in Net-SNMP 5.7.1 allows remote authenticated users to cause a denial of service (out-of-bounds read and snmpd crash) via an SNMP GET request for an entry not in the extension table.
??é·‰G CVE-2013-6940: Vulnerability in Citrix NetScaler Application Delivery Controller could result in user credentials being logged to disk
??é·‰G CVE-2013-6941: Vulnerability in Citrix NetScaler Application Delivery Controller firmware could allow shell breakout
??é·‰G CVE-2013-6942: Cross-Site Request Forgery vulnerability in Citrx NetScaler Application Delivery Controller
??é·‰G CVE-2013-6943: Vulnerability in Citrix NetScaler Application Delivery Controller could result in LDAP injection of SSH and Web management usernames
??é·‰G CVE-2013-6944: Cross-Site Scripting vulnerability in Citrix NetScaler AAA TM vServer user interface.
What Customers Should Do
These vulnerabilities have been addressed in new versions of the Citrix NetScaler ADC appliance firmware. Citrix recommends that customers upgrade their Citrix NetScaler ADC appliance firmware to the versions listed below.
The vulnerabilities have been addressed in the following NetScaler ADC appliance firmware versions:
??é·‰G 10.1-118.7 and later
??é·‰G 10.0-77.5 and later
??é·‰G 9.3-64.4 and later
These versions can be obtained from the following locations:
NetScaler ADC Firmware
NetScaler ADC Virtual Appliance
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at / .
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp .
Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. If you would like to report a security issue to Citrix, please compose an e-mail to firstname.lastname@example.org stating the exact version of the product in which the vulnerability was found and the steps needed to reproduce the vulnerability.