NetScaler ADC, Memory Overread, CVE-2024-1222 (Critical)

Listen to this Post

How the mentioned CVE works

This vulnerability resides in the SAML (Security Assertion Markup Language) IdP (Identity Provider) configuration of NetScaler ADC and Gateway. When the appliance is configured as a SAML IdP, it processes incoming SAML requests. Due to insufficient input validation, specifically in parsing certain parameters or assertions within the SAML request, the appliance fails to properly check buffer boundaries. An unauthenticated, remote attacker can send a crafted SAML request containing maliciously formatted data. This causes the system to read memory outside the intended buffer (memory overread). This overread can leak sensitive information from memory, such as session tokens, encryption keys, or other memory-resident data. In severe cases, this memory corruption can lead to a denial of service (DoS) or potentially allow the attacker to bypass authentication mechanisms, leading to complete system compromise. The vulnerability is exploitable over the network without any privileges or user interaction, which contributes to its critical severity rating of 9.3.

dailycve form

Platform: NetScaler ADC/Gateway
Version: 14.1-12.35, 13.1-51.15
Vulnerability: SAML input validation
Severity: Critical
date: 2026-03-31

Prediction: Patch already available

What Undercode Say:

Check current version to verify if vulnerable
/nsconfig/nsversion
Check SAML IdP configuration for exposure
grep -r "SAML" /nsconfig/conf/
Simulated detection: Monitor for abnormal SAML request lengths in logs
grep "SAML" /var/log/ns.log | grep -E "error|invalid|length"

Exploit

Unathenticated remote attacker sends a crafted HTTP POST request to the SAML IdP endpoint (/saml/login) with an overly long or specially crafted `SAMLRequest` parameter, causing the ns_aaa_saml_process function to read beyond allocated heap memory.

Protection from this CVE

Upgrade to fixed versions: NetScaler ADC 14.1-12.35 or 13.1-51.15. If upgrading is not immediate, restrict access to the SAML IdP endpoints to trusted IP addresses via NetScaler ACLs or disable SAML IdP functionality if not required.

Impact

Memory overread leads to exposure of sensitive memory contents (keys, tokens). Potential for authentication bypass, session hijacking, and complete compromise of the ADC appliance.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top