Citrix and Fortinet on Tuesday announced patches for over a dozen vulnerabilities, including high-severity flaws impacting NetScaler and FortiOS.
Citrix released fixes for two bugs in NetScaler ADC and NetScaler Gateway, two issues in Session Recording, and one security defect in XenServer and Hypervisor.
Tracked as CVE-2024-8534, the high-severity NetScaler vulnerability is described as a memory safety bug that could lead to memory corruption or denial-of-service (DoS).
It only impacts appliances configured as gateways that have the RDP feature enabled or have an RDP proxy server profile set to gateway, or are configured as an auth server with the RDP feature enabled.
Citrix addressed the bug in NetScaler ADC and NetScaler Gateway versions 14.1-29.72, 13.1-55.34, 13.1-FIPS 13.1-37.207, 12.1-FIPS 12.1-55.321, and 12.1-NDcPP 12.1-55.321, but warns that versions 12.1 and 13.0, which have been discontinued, are also affected.
The tech giant also patched medium-severity flaws in NetScaler and Session Recording, and announced a hotfix for CVE-2024-45818, a medium-severity issue in XenServer 8 and Hypervisor 8.2 CU1 LTSR that could lead to crashes and DoS.
Citrix makes no mention of any of these security defects being exploited in the wild. Additional information can be found on the company’s security bulletins page.
On Tuesday, Fortinet announced fixes for 19 vulnerabilities, including high-severity bugs in FortiOS, FortiAnalyzer and FortiManager, and FortiClient for Windows.
The FortiOS issue, tracked as CVE-2023-50176, could allow an “unauthenticated attacker to hijack a user session via a phishing SAML authentication link”. Patches were included in FortiOS versions 7.4.4, 7.2.8, and 7.0.14.
Tracked as CVE-2024-23666, the FortiManager and FortiManager bug could allow an “authenticated attacker with at least read-only permission to execute sensitive operations via crafted requests”.
Fixes were included in FortiAnalyzer versions 7.4.3, 7.2.6, 7.0.13, and 6.4.15, FortiAnalyzer-BigData versions 7.4.1 and 7.2.7, and FortiManager versions 7.4.3, 7.2.6, 7.0.13, and 6.4.15.
Fortinet also resolved two high-severity issues in FortiClient for Windows, one leading to code execution via spoofed named pipe messages (CVE-2024-47574) and another leading to privilege escalation via auto patch scripts (CVE-2024-36513).
The company also announced patches for multiple medium- and low-severity flaws. Additional information can be found on the company’s PSIRT advisories page.
On Tuesday, the US cybersecurity agency CISA warned that threat actors could exploit some of the newly patched Citrix and Fortinet vulnerabilities to take over the affected systems, urging administrators to apply the necessary updates as soon as possible.
Updated on November 14 to add the number of Fortinet vulnerabilities and information on FortiClient for Windows bugs.
Related: SAP Patches High-Severity Vulnerability in Web Dispatcher
Related: Unpatched Vulnerabilities Allow Hacking of Mazda Cars: ZDI
Related: Yokogawa Patches Flaws Allowing Disruption, Manipulation of Physical Processes
Related: Philips Working on Patches for Vulnerabilities Found in Medical Products
