THE THREAT
eSentire is aware of reports that the critical Citrix vulnerability, CVE-2023-4966, is now under active widespread exploitation. As of October 30th, at least two separate ransomware groups have been identified exploiting the vulnerability in real-world attacks. Since widespread exploitation has been confirmed, it is critical that organizations, using the impacted NetScaler ADC and NetScaler Gateway products, apply security patches and remediation steps immediately.
CVE-2023-4966 (CVSS: 9.4) is an unauthenticated sensitive information disclosure vulnerability. Successful exploitation allows attackers to hijack authenticated sessions, bypass Multi-Factor Authentication (MFA) and enable a variety of malicious actions, such as code execution or data exfiltration. The vulnerability was initially disclosed on October 10th, and limited targeted attacks were traced back to August 2023. As technical details and exploitation information is now public, the eSentire Threat Intelligence team assesses that it is likely that widespread opportunistic exploitation will increase until the majority of users have applied the relevant security patches.
What we’re doing about it
- The eSentire Threat Intelligence team has tracked this vulnerability since its release, and will continue to monitor the vulnerability for additional details and detection opportunities
- eSentire MDR for Network has rules in place to identify exploitation attempts
- eSentire Managed Vulnerability Service (MVS) has plugins in place to identify this vulnerability
- eSentire MDR for Log has detections in place to identify unusual login activity
- IP addresses, associated with real-world attacks, have been blocked via the eSentire Global Block list
What you should do about it
- After performing a business impact review, apply the relevant security patches
- Alternative mitigations are not available
- Citrix recommends disabling all active and persistent sessions, to prevent token re-use, using the following commands:
- kill icaconnection -all
- kill rdp connection -all
- kill pcoipConnection -all
- kill aaa session -all
- clear lb persistentSessions
- Review potentially impacted systems for unusual activity or other signs of compromise, such as webshell or backdoor deployment
- Consider rotating user credentials
- It is recommended that eSentire MDR for Log customers make sure they are ingesting Citrix NetScaler logs
Additional information
CVE-2023-4966 was initially discovered by Citrix researchers, who disclosed the vulnerability along with security patches, on October 10th. Shortly after public disclosure, Mandiant reported attacks ranging back to August of 2023; this activity was highly targeted, and victims included organizations in the professional services, technology, and government industries. Threat actors were identified exploiting the vulnerability to hijack authenticated sessions, allowing for Multi-Factor Authentication (MFA) bypass.
Proof-of-Concept (PoC) exploit code and technical details relating to CVE-2023-4966 are publicly available; these details make exploitation trivial for even low-skilled actors. Additionally, security researchers have observed a Python script that automates the attack chain, simplifying widespread abuse. Due to the widespread use of Citrix products and the ease of exploitation, continued exploitation and adoption by additional threat actor groups is expected.
Citrix has confirmed the following versions of NetScaler ADC and NetScaler Gateway are vulnerable and need to be addressed:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
It should be noted that NetScaler ADC and NetScaler Gateway version 12.1 is vulnerable but has reached End-of-Life and will no longer receive security updates. Organizations using version 12.1, need to update to a supported version as soon as possible.
References:
[1] https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967
[2] https://doublepulsar.com/mass-exploitation-of-citrixbleed-vulnerability-including-a-ransomware-group-1405cbb9de18
[3] https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/
[4] https://www.mandiant.com/resources/blog/remediation-netscaler-adc-gateway-cve-2023-4966
