Congratulations To Citrix For Taking Both 1st And 2nd Place!
2023 has not been fun for anyone that follows computer security, especially if you have to deal with them once they’ve been identified. The Five Eyes countries have released their list of the 15 most egregious security issues discovered last year. They earned their ranking thanks to the remote code execution bug in NetScaler ADC and Gateway, and for those products leaking sensitive information when configured as they are intended, as a gateway or authentication, authorization and accounting server.
Cisco did their best but could only get third and fourth place for letting users elevate a non-privileged account to have root access and for allowing code that had not been validated to be run as root. The fifth was Fortinet’s FortiOS, used by many large corporations, which allowed you to remotely cause code to execute merely by sending it a request designed to cause a buffer overflow. The Register has a rundown of the rest, including links to the CVE pages if you don’t recall exactly how awful these were.
2024’s list will be even worse sadly.
