Citrix Application Delivery Controller Users Beware of UDP Idle Timeout Vulnerability

CVSScvssV3_1: 7.5

Citrix Application Delivery Controllers (ADCs) are commonly used tools to optimize application delivery, provide load balancing and improve security. However, a vulnerability has been discovered that could allow unauthorized termination of traffic on devices with a specific UDP profile configuration.

The vulnerability identified as CVE-2023-29163 has a CVSS score of 7.5 out of 10, indicating a high severity issue. It is caused when a UDP profile with an idle timeout of immediate (0) is configured on a virtual server in Citrix ADCs. This allows any undisclosed traffic received by the ADC to potentially cause Traffic Management Microkernel (TMM) processes to terminate unexpectedly.

An attacker on the same network may be able to exploit this by crafting custom UDP packets and sending them to the targeted virtual server IP and port. This could allow them to remotely crash TMM processes and potentially cause denial of service for applications load balanced by the affected ADC.

Citrix has released software updates to address this issue for supported releases. It is recommended that all Citrix ADC customers check for and apply the latest patches. Administrators should also avoid using UDP profiles with an idle timeout of 0 on virtual servers and change any existing configurations to use a non-zero value instead. Proper network segmentation and firewall rules can further minimize risks from unauthorized access.