Citrix has issued a warning regarding a critical security vulnerability (CVE-2023-4966) that affects its NetScaler ADC and Gateway appliances. This flaw has been actively exploited since late August as a zero-day vulnerability, posing a significant threat to organizations.

Description

The vulnerability allows attackers to access secrets in devices configured as gateways for authentication [8], authorization [3] [4] [6] [8], and accounting (AAA) virtual servers [8]. With a CVSS score of 9.4 [4], this flaw enables threat actors to hijack authenticated sessions and bypass multi-factor authentication [1] [4]. Despite Citrix releasing a patch on October 10th [9], organizations that have applied the security update are still being hacked [9]. Researchers from Mandiant have warned that the patch is ineffective, and malicious actors continue to exploit the flaw [9].

Mandiant CTO Charles Carmakal advises organizations to terminate all active sessions [9], as authenticated sessions can persist even after the patch is deployed [1] [9]. This persistence allows threat actors to use stolen session data to authenticate to resources [1] [9]. The flaw also enables unauthenticated buffer-related issues [2], leading to sensitive information disclosure and the ability to hijack authenticated sessions [2]. Exploitation has already occurred in professional services [9], technology firms [9], and government agencies [9], with cyber espionage being the primary focus. Financial motivations are also expected to come into play [9].

To mitigate the risk, Citrix recommends customers to upgrade to the latest versions of NetScaler ADC and Gateway [6], restrict access to trusted IP address ranges [6], and terminate all active sessions [1] [2] [3] [4] [9]. It is crucial to note that even after applying the patch, authenticated sessions can persist [1] [3] [5] [6] [8] [9], making it essential to terminate them to prevent threat actors from using stolen session data. Mandiant provides investigation and detection pointers [6], suggesting organizations stop active sessions, rotate credentials [6] [7], and rebuild appliances if compromise is detected. The Cybersecurity and Infrastructure Security Agency refers to Mandiant’s guidance on the matter [9].

Conclusion

The critical security vulnerability in Citrix’s NetScaler ADC and Gateway appliances poses significant risks to organizations. Despite the release of a patch, the flaw continues to be exploited, highlighting the need for immediate action. Upgrading to the latest versions of the affected products, restricting access [6], and terminating active sessions are crucial steps to mitigate the risk. Organizations should also follow Mandiant’s guidance for investigation and detection. The impact of this vulnerability extends beyond data disclosure, with potential financial motivations and cyber espionage at play. It is essential for organizations to remain vigilant and take proactive measures to protect their systems and data.

References

[1] https://www.darkreading.com/vulnerabilities-threats/critical-citrix-bug-exploited-zero-day-patching-not-enough
[2] https://duo.com/decipher/threat-actors-exploit-citrix-netscaler-adc-and-gateway-flaw
[3] https://beker.uk/2023/10/18/critical-citrix-netscaler-flaw-exploited-to-target-from-government-tech-firms/
[4] https://thehackernews.com/2023/10/critical-citrix-netscaler-flaw.html
[5] https://www.tenable.com/blog/cve-2023-4966-citrix-netscaler-adc-and-netscaler-gateway-information-disclosure-exploited-in
[6] https://www.helpnetsecurity.com/2023/10/18/cve-2023-4966/
[7] https://www.techtarget.com/searchSecurity/news/366555993/Mandiant-Citrix-zero-day-actively-exploited-since-August
[8] https://vulnera.com/newswire/citrix-netscaler-vulnerability-exploited-as-zero-day-since-august/
[9] https://www.cybersecuritydive.com/news/citrix-netscaler-patch–bypassed-hackers/696976/