Multiple vulnerabilities were discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) with a published security bulletin for CVE-2023-4966.
Here’s what you need to know:
What is CVE-2023-4966?
Known as the Citrix Bleed, CVE-2023-4966 vulnerability was officially disclosed on October 10, 2023, posing a critical threat to Citrix NetScaler ADC and NetScaler Gateway. This vulnerability allows unauthorized access to sensitive information stored on these devices.
A mere week after a patch became available, Mandiant uncovered that the vulnerability had been actively exploited as a zero-day since late August. Hackers had been taking advantage of this exploit to hijack authenticated sessions and bypass multifactor authentication protection.
To achieve this, attackers employed specially crafted HTTP GET requests to manipulate the appliance into revealing system memory contents. Among these contents was a valid Netscaler AAA session cookie, issued after successful authentication and multifactor authentication checks. By pilfering these authentication cookies, hackers gained the ability to access the device without having to undergo multifactor authentication again.
In response to this threat, Citrix issued a second warning to administrators, urging them to fortify their systems against these ongoing attacks. These attacks were characterized by their low complexity and did not necessitate any user interaction.
Does CVE-2023-4966 affect me?
Affected by this issue are the below supported versions of NetScaler ADC and NetScaler Gateway:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable.
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.
Also important to note, is that the lack of logging on the appliances makes investigating the exploitation of CVE-2023-3966 challenging, requiring web application firewalls (WAF) and other network traffic monitoring appliances to log traffic and determine if a device was exploited. Unless a network uses this type of monitoring before an attack, it prevents any historical analysis and limits researchers to real-time observations.
Has CVE-2023-4966 been actively exploited in the wild?
Mandiant researchers were able to identify exploitation attempts and session hijacking through one of several different pathways:
- WAF request analysis – Requests to the vulnerable endpoint can be logged by WAF tools.
- Login patterns monitoring – Client and source IP address mismatches and multiple sessions from the same IP address written in ns.log files are signs of potential unauthorized access.
- Windows Registry correlation – Correlating Windows Registry entries on Citrix VDA systems with ns.log data makes it possible to trace the attacker’s origin.
- Memory dump inspection – It is possible to analyze NSPPE process memory core dump files for unusually long strings containing repetitive characters, which may indicate exploitation attempts.
On October 25th, researchers from AssetNote released a proof-of-concept (PoC) exploit that illustrated how a NetScaler account could be hijacked through session token theft.
Following the successful exploitation of CVE-2023-4966, the attackers engaged in network reconnaissance, using different tools to steal account credentials and moving laterally via RDP. These tools included:
- net.exe – Active Directory (AD) reconnaissance
- netscan.exe – internal network enumeration.
- 7-zip – create an encrypted segmented archive for compressing reconnaissance data
- certutil – encode (base64) and decode data files and deploy backdoors
- e.exe and d.dll – load into the LSASS process memory and create memory dump files
- sh3.exe – run the Mimikatz LSADUMP command for credential extraction
- FREEFIRE – novel lightweight .NET backdoor using Slack for command and control
- Atera – Remote monitoring and management
- AnyDesk – Remote desktop
- SplashTop – Remote desktop
Even though many of the above can commonly be found in various enterprise environments, their combined deployment might be an indicator of possible compromise, while tools like FREEFIRE are clear indications of a breach.
Mandiant has reported all four threat actors exploiting CVE-2023-4966 (in various campaigns) to show some overlap in the post-exploitation stage. All four extensively used csvde.exe, certutil.exe, local.exe, and nbtscan.exe, while two activity clusters were seen using Mimikatz.
How to fix CVE-2023-46604
Exploits of CVE-2023-4966 on unmitigated appliances have already been observed. Customers of NetScaler ADC and NetScaler Gateway are urged to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible.
- NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
- NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
Additionally, Citrix recommends killing all active and persistent sessions using the following commands:
- kill icaconnection –all
- kill rdp connection –all
- kill pcoipConnection –all
- kill aaa session –all
- clear lb persistentSessions
Applying the available security updates does not address existing breaches, and thus, a full incident response is required. Advice on system restoration can easily be found in Mandiant’s remediation guide.