{"id":174259784,"date":"2024-11-21T14:06:25","date_gmt":"2024-11-21T22:06:25","guid":{"rendered":"https:\/\/www.netscaler.com\/blog\/?p=174259784"},"modified":"2024-11-21T14:06:26","modified_gmt":"2024-11-21T22:06:26","slug":"cve-2024-8534-and-cve-2024-8535-high-severity-security-updates-for-netscaler-adc-and-netscaler-gateway","status":"publish","type":"post","link":"https:\/\/www.netscaler.com\/blog\/news\/cve-2024-8534-and-cve-2024-8535-high-severity-security-updates-for-netscaler-adc-and-netscaler-gateway\/","title":{"rendered":"CVE-2024-8534 and CVE-2024-8535: High severity security updates for NetScaler ADC and NetScaler Gateway\u00a0"},"content":{"rendered":"\n

On November 12, 2024, Cloud Software Group released builds to fix CVE-2024-8534 and CVE-2024-8535, which affect NetScaler ADC and NetScaler Gateway. <\/p>\n\n\n\n

CVE-2024-8534<\/h2>\n\n\n\n

This vulnerability is a memory safety vulnerability, and successful exploitation can lead to memory corruption and denial of service. In order for this vulnerability to be exploited any of the following conditions must be met:<\/p>\n\n\n\n

    \n
  1. The ADC must be configured as a gateway (VPN vServer) and the RDP feature must be enabled<\/li>\n\n\n\n
  2. The ADC must be configured as a gateway (VPN vServer) and the RDP Proxy Server Profile needs to be created and set to gateway (VPN vServer) <\/li>\n\n\n\n
  3. The ADC must be configured as an authentication server (AAA vServer) with the RDP feature enabled <\/li>\n<\/ol>\n\n\n\n

    The CVSS score for this vulnerability is 8.4. <\/p>\n\n\n\n

    By inspecting the ns.conf file for the specified strings, you can determine if you have an ADC configured as a gateway (VPN vServer or AAA vServer) with either the RDP feature enabled or an RDP Proxy Server Profile created:<\/p>\n\n\n\n

    A gateway (VPN Vserver) with the RDP feature enabled:<\/strong><\/p>\n\n\n\n

    enable ns feature.*rdpproxy<\/code><\/p>\n\n\n\n

    add vpn vserver <\/code><\/p>\n\n\n\n

    <\/p>\n\n\n\n

    A gateway (VPN Vserver) with an RDP Proxy Server Profile created and set to the Gateway (VPN Vserver):<\/strong><\/p>\n\n\n\n

    add rdp serverprofile<\/code><\/p>\n\n\n\n

    add vpn vserver <\/code><\/p>\n\n\n\n

    <\/p>\n\n\n\n

    An authentication server (AAA Vserver) with the RDP feature enabled:<\/strong><\/p>\n\n\n\n

    enable ns feature.*rdpproxy<\/code><\/p>\n\n\n\n

    add authentication vserver<\/code><\/p>\n\n\n\n

    <\/p>\n\n\n\n

    No mitigation is available for this vulnerability, so we strongly recommend that you immediately install the recommended builds if you\u2019re using the affected builds.<\/p>\n\n\n\n

    CVE-2024-8535<\/h2>\n\n\n\n

    This vulnerability arises due to a race condition leading to an authenticated user getting unintended user capabilities. In order for this vulnerability to be exploited, any of the following conditions must be met:<\/p>\n\n\n\n

      \n
    1. The ADC must be configured as a gateway (SSL VPN, ICA Proxy, CVPN, or RDP Proxy) with KCDAccount configuration for Kerberos SSO to access backend resources.<\/li>\n\n\n\n
    2. The ADC must be configured as an authentication server (AAA vServer) with KCDAccount configuration for Kerberos SSO to access backend resources.<\/li>\n<\/ol>\n\n\n\n

       The CVSS score for this vulnerability is 5.8.<\/p>\n\n\n\n

      You can determine if you have an ADC with KCDAccount configuration for Kerberos SSO to access backend resources by inspecting the ns.conf file for the following string: <\/p>\n\n\n\n

      add aaa kcdaccount<\/code><\/p>\n\n\n\n

      No mitigation is available for this vulnerability, so we strongly recommend that you immediately install the recommended builds if you\u2019re using the affected builds.<\/p>\n\n\n\n

      Additionally, after upgrading to the fixed version, you must modify the device configuration to ensure that all previously created sessions are flushed out of system memory if the appliances have been configured in HA or cluster mode. Here\u2019s the shell command to do that:<\/p>\n\n\n\n

      nsapimgr_wr.sh -ys call=ns_aaa_flush_kerberos_tickets<\/code><\/p>\n\n\n\n

      If NetScaler ADCs have been configured in HA mode, then the provided shell command must be executed in HA mode: first on the primary node and later on the secondary node.<\/p>\n\n\n\n

      If NetScaler ADCs have been configured in a cluster, then the provided shell command must be executed on each node post-upgrade.<\/p>\n\n\n\n

      For both CVE-2024-8534 and CVE 2024-8535, the following versions of NetScaler ADC and NetScaler Gateway are impacted:<\/p>\n\n\n\n