In alerting about two Citrix bugs, CISA recommends immediate attention for one

Two bugs in Citrix technology are drawing serious attention this week from the Cybersecurity and Infrastructure Security Agency.

CISA says federal agencies much patch one of the vulnerabilities — tagged as CVE-2023-6548 — by January 24. It’s one of the rare times the cyber agency has put a remediation date of less than three weeks on a vulnerability.

CISA did not respond to requests for comment about why the remediation timeline was shorter than most.

The other bug — listed as CVE-2023-6548 — must be fixed by February 7. CISA’s alerts are aimed at federal agencies but often serve as general warnings for the public.

The vulnerabilities are in Citrix’s NetScaler ADC and NetScaler Gateway, used for managing network traffic and remote access, respectively.

The feds issued a short alert Thursday after adding the two issues to its Known Exploited Vulnerabilities catalog on Wednesday. Citrix itself issued a bulletin on Tuesday.

CVE-2023-6548 is a “code injection vulnerability,” while CVE-2023-6549 allows for an attacker to overflow the memory buffer and knock the Citrix services offline, CISA said.

Throughout November and December, U.S. cybersecurity agencies warned of another vulnerability affecting NetScaler ADC and NetScaler Gateway devices known as “Citrix Bleed.” Ransomware gangs used the bug in multiple high-profile attacks on vulnerable devices exposed to the internet.

CISA Executive Assistant Director for Cybersecurity Eric Goldstein said more than 300 entities have been warned about their exposure to the issue. Boeing allowed agencies to use the attack it experienced as an example for how security teams should address the vulnerability.

Joe Warminsky contributed to this story.