Black Arrow Cyber Advisory 26 October 2023 – Citrix Bleed Vulnerability Actively Exploited, Patch Now

Executive summary

A high-serverity vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) is being actively exploited in the wild. The vulnerability, labelled “Citrix Bleed” allows attackers to retrieve authentication tokens, which can then be used to gain unauthorised access to the user accounts. Following a release of a proof-of-concept, there has been a further rise in attackers exploiting the vulnerability, which has now been added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog. A second vulnerability, which causes a denial of service has also been addressed.

What’s the risk to me or my business?

Successful exploitation of the critical vulnerability allows an unauthenticated attacker to gain access to sensitive information which can then be used to access user accounts, impacting the confidentiality, integrity and availability of data. The second vulnerability can cause a denial of services, impacting the availability of data.

The following customer-managed versions are affected:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15

  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19

  • NetScaler ADC 13.1-FIPS before 13.1-37.164

  • NetScaler ADC 12.1-FIPS before 12.1-55.300

  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and a patch has not been released for these affected products.

What can I do?

Patches are available for impacted versions of NetScaler ADC and NetScaler Gateway. Due to the severity of the vulnerability Black Arrow recommends applying the patches for the critical vulnerability immediately. In addition, NetScaler have also provided a list of commands which can be used to kill active and persistent sessions, these can be found at the bottom of our advisory. These patches will also address the second vulnerability. NetScaler have noted that If you are a Citrix-managed cloud service or Citrix-managed Adaptive Authentication customer, no action is required.

Technical Summary

CVE-2023-4966 – This vulnerability if exploited allows an attacker to retrieve the authentication session cookies by performing an unauthenticated buffer related exploit which can allow the attacker to use the stolen session top log into the users ID.

CVE-2023-4967 – a vulnerability which if exploited, allows an attacker to cause a denial of service.

Further information on the Citrix patches can be found here:

https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/

Further information on the proof-of-concept can be found here:

https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity

Previous
Previous

Black Arrow Cyber Alert 27 October 2023 – Phishing Campaign Spoofing GFSC Targeting Guernsey Financial Services Firms

Next
Next

Black Arrow Cyber Advisory 26 October 2023 – High Severity Vulnerability in VMware vCenter Patched, Including End-of-Life Products