Urgent Security Alert: Critical ‘Citrix Bleed’ Flaw (CVE-2023-4966) Under Active Attack
A critical security vulnerability has been discovered in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances, and security experts confirm it is being actively exploited in the wild. This flaw, tracked as CVE-2023-4966 and nicknamed “Citrix Bleed,” poses a severe risk to organizations, allowing unauthenticated attackers to hijack user sessions and bypass multi-factor authentication.
Administrators are urged to take immediate action to patch their systems and mitigate this threat. The vulnerability carries a CVSS score of 9.4 out of 10, reflecting its critical severity and the ease with which it can be exploited remotely without any user interaction.
Understanding the ‘Citrix Bleed’ Vulnerability (CVE-2023-4966)
The core of this critical vulnerability is a sensitive information disclosure flaw. By exploiting a buffer overflow weakness, a remote attacker can extract sensitive data from an appliance’s memory. The most dangerous information that can be leaked are session cookies.
Here’s why that is so dangerous:
- Session Hijacking: With a valid session cookie, an attacker can completely take over a legitimate user’s session.
- Bypassing All Authentication: Since the attacker is hijacking an already authenticated session, they can bypass all forms of security, including passwords, and even multi-factor authentication (MFA).
- No Credentials Needed: The attack does not require any prior knowledge of usernames or passwords, making it a threat to any organization using the vulnerable appliances.
Once an attacker has control of a session, they can potentially access sensitive network resources, deploy malware, or move laterally within the corporate network.
A Second High-Severity Flaw Disclosed
Alongside the critical “Citrix Bleed” flaw, another high-severity vulnerability was also patched. Tracked as CVE-2023-4967, this is a denial-of-service (DoS) vulnerability with a CVSS score of 8.2.
This flaw could allow an attacker to cause an affected appliance to crash, disrupting business operations and availability. This vulnerability requires the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server.
Affected Product Versions
You are at risk if you are running any of the following versions. It is crucial to check your systems and identify any vulnerable instances immediately.
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
Notably, Citrix-managed cloud services and Citrix-managed Adaptive Authentication are not vulnerable. If you are using a customer-managed NetScaler virtual appliance (VPX) on a cloud service, you are responsible for applying these updates.
Action Required: How to Secure Your Systems Now
Due to the active exploitation of CVE-2023-4966, simply applying the patch is not enough. An attacker who has already stolen session cookies can still use them to access your network. Follow these steps immediately to fully secure your environment.
1. Apply the Patches Immediately
Update your appliances to the relevant patched version as soon as possible. The secure versions are:
- NetScaler ADC and NetScaler Gateway 14.1-8.50 and later
- NetScaler ADC and NetScaler Gateway 13.1-49.15 and later
- NetScaler ADC and NetScaler Gateway 13.0-92.19 and later
- NetScaler ADC 13.1-FIPS 13.1-37.164 and later
- NetScaler ADC 12.1-FIPS 12.1-55.300 and later
- NetScaler ADC 12.1-NDcPP 12.1-55.300 and later
2. Terminate All Active and Persistent Sessions
This is a critical step. To invalidate any stolen session cookies, you must terminate all active user sessions after applying the patch. This will force all users to re-authenticate and establish new, secure sessions.
You can terminate all active sessions using the following command-line instruction:
kill aaa session -all
3. Review for Signs of Compromise
It is highly recommended that you review your appliance’s logs for any unusual or unauthorized activity. Look for suspicious connections, unexpected administrative changes, or user activity from unfamiliar IP addresses. Given the active exploitation, assuming a breach and hunting for threats is the most prudent security posture.
Do not delay. The active exploitation of this vulnerability means attackers are actively scanning for and targeting unpatched systems. Proactive and immediate remediation is essential to protect your organization’s data and network integrity.
Source: https://securityaffairs.com/181567/hacking/citrix-fixed-three-netscaler-flaws-one-of-them-actively-exploited-in-the-wild.html
