Citrix NetScaler bug exploited in the wild since August (CVE-2023-4966)

A recently patched Citrix NetScaler ADC/Gateway information disclosure vulnerability (CVE-2023-4966) has been exploited by attackers in the wild since late August 2023, Mandiant researchers have revealed.

About CVE-2023-4966

Citrix’s security advisory, published on October 10, says that the vulnerability can lead to sensitive information disclosure, but did not explain what type of information can be disclosed to attackers.

CVE-2023-4966 is exploitable remotely without authentication, and a successful attack does not hinge on user interaction.

The vulnerability impacts the following NetScaler ADC and Gateway appliances:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300

Only appliances configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server are vulnerable. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not affected.

Zero-day attacks

The attackers targeted professional services, technology, and government organizations. They exploited CVE-2023-4966 to hijack existing authenticated sessions, which means that they were able to effectively bypass multifactor (or any kind of) authentication requirements.

“These sessions may persist after the update to mitigate CVE-2023-4966 has been deployed. Additionally, we have observed session hijacking where session data was stolen prior to the patch deployment, and subsequently used by a threat actor,” Mandiant noted.

“The authenticated session hijacking could then result in further downstream access based upon the permissions and scope of access that the identity or session was permitted. A threat actor could utilize this method to harvest additional credentials, laterally pivot, and gain access to additional resources within an environment.”

In late August, a ransomware group targeted internet-facing unpatched Citrix NetScaler systems by leveraging CVE-2023-3519. The patch has been available since July.

What to do?

Citrix urges customers to update to a fixed version of NetScaler ADC and NetScaler Gateway as soon as possible. If a quick upgrade is impossible, Mandiant suggests limiting access to the devices only to trusted IP address ranges.

But merely updating or restricting access to vulnerable devices is not enough: enterprise defenders should also check whether their appliances have been compromised by the attackers.

After the patch has been applied, admins should stop all active sessions, rotate credentials, and – if web shells or backdoors are found – rebuild appliances with a clean-source image.

“To date, Mandiant has not identified any available logs or other artifacts resident on NetScaler appliances that record evidence of exploitation,” the company said. Still, they provided helpful investigation and detection pointers.

UPDATE (October 24, 2023, 03:10 a.m. ET):

“We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability,” Citrix confirmed.

UPDATE (October 25, 2023, 04:20 a.m. ET):

Assetnote researchers have released a technical write-up and a proof-of-concept exploit script for CVE-2023-4966.