CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Citrix, Fortinet Patch High-Severity Vulnerabilities

Citrix and Fortinet have released patches for multiple vulnerabilities, including high-severity bugs in NetScaler and FortiOS.

Citrix and Fortinet on Tuesday announced patches for over a dozen vulnerabilities, including high-severity flaws impacting NetScaler and FortiOS.

Citrix released fixes for two bugs in NetScaler ADC and NetScaler Gateway, two issues in Session Recording, and one security defect in XenServer and Hypervisor.

Tracked as CVE-2024-8534, the high-severity NetScaler vulnerability is described as a memory safety bug that could lead to memory corruption or denial-of-service (DoS).

It only impacts appliances configured as gateways that have the RDP feature enabled or have an RDP proxy server profile set to gateway, or are configured as an auth server with the RDP feature enabled.

Citrix addressed the bug in NetScaler ADC and NetScaler Gateway versions 14.1-29.72, 13.1-55.34, 13.1-FIPS 13.1-37.207, 12.1-FIPS 12.1-55.321, and 12.1-NDcPP 12.1-55.321, but warns that versions 12.1 and 13.0, which have been discontinued, are also affected.

The tech giant also patched medium-severity flaws in NetScaler and Session Recording, and announced a hotfix for CVE-2024-45818, a medium-severity issue in XenServer 8 and Hypervisor 8.2 CU1 LTSR that could lead to crashes and DoS.

Citrix makes no mention of any of these security defects being exploited in the wild. Additional information can be found on the company’s security bulletins page.

On Tuesday, Fortinet announced fixes for 19 vulnerabilities, including high-severity bugs in FortiOS, FortiAnalyzer and FortiManager, and FortiClient for Windows.

Advertisement. Scroll to continue reading.

The FortiOS issue, tracked as CVE-2023-50176, could allow an “unauthenticated attacker to hijack a user session via a phishing SAML authentication link”. Patches were included in FortiOS versions 7.4.4, 7.2.8, and 7.0.14.

Tracked as CVE-2024-23666, the FortiManager and FortiManager bug could allow an “authenticated attacker with at least read-only permission to execute sensitive operations via crafted requests”.

Fixes were included in FortiAnalyzer versions 7.4.3, 7.2.6, 7.0.13, and 6.4.15, FortiAnalyzer-BigData versions 7.4.1 and 7.2.7, and FortiManager versions 7.4.3, 7.2.6, 7.0.13, and 6.4.15.

Fortinet also resolved two high-severity issues in FortiClient for Windows, one leading to code execution via spoofed named pipe messages (CVE-2024-47574) and another leading to privilege escalation via auto patch scripts (CVE-2024-36513).

The company also announced patches for multiple medium- and low-severity flaws. Additional information can be found on the company’s PSIRT advisories page.

On Tuesday, the US cybersecurity agency CISA warned that threat actors could exploit some of the newly patched Citrix and Fortinet vulnerabilities to take over the affected systems, urging administrators to apply the necessary updates as soon as possible.

Updated on November 14 to add the number of Fortinet vulnerabilities and information on FortiClient for Windows bugs.

Related: SAP Patches High-Severity Vulnerability in Web Dispatcher

Related: Unpatched Vulnerabilities Allow Hacking of Mazda Cars: ZDI

Related: Yokogawa Patches Flaws Allowing Disruption, Manipulation of Physical Processes

Related: Philips Working on Patches for Vulnerabilities Found in Medical Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.