Recently, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a cybersecurity advisory warning that ransomware groups are actively exploiting the ‘Citrix Bleed’ vulnerability. In this Cybersecurity Threat Advisory, we look at the Citrix Bleed bug, aka. CVE 2023-4966, a vulnerability that affects NetScaler Web application delivery control (ADC) and NetScaler Gateway appliances. A patch was released back in October, however, Citrix is recommending further efforts to protect affected environments.
What is the threat?
For context, CVE-2023-4966, originally reported in October, resides in the NetScaler Application Delivery Controller and NetScaler Gateway. These provide load balancing and single sign-on for enterprise networks, respectively. The information-disclosure vulnerability can be exploited by malicious actors to intercept encrypted communications passing between devices when configured as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or as a AAA virtual server. An unauthenticated attacker could exploit the device to hijack an existing authenticated session. Depending on the permissions of the account they’ve hijacked, this could allow the attacker to gain additional access within a target environment and collect other account credentials. Successful exploitation also allows the attacker to bypass multifactor authentication (MFA) or other strong authentication requirements. The following versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerability:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
NetScaler ADC and NetScaler Gateway version 12.1 are now end-of-life (EOL) and are also vulnerable.
Why is it noteworthy?
An advisory was published by CISA, the FBI, and cybersecurity officials in Australia on Tuesday detailing that the LockBit ransomware gang are actively exploiting CVE-2023-4966. It’s sited that while thousands of organizations are still vulnerable, more than 300 entities have been warned about their exposure to the issue through CISA’s Ransomware Vulnerability Warning Program. One of the major companies that has been targeted is Boeing, whose parts and distribution business was attacked by LockBit through the vulnerability earlier this month.
Citrix reiterated its previous warning that patching is not enough to protect affected instances, because compromised NetScaler sessions will continue to be vulnerable after patching. CISA offered remediation/detection methods and indicators of compromise (IOCs) for Citrix Bleed vulnerability.
What is the exposure or risk?
The Citrix Bleed vulnerability can lead to significant exposure and/or risk for its consumers. If exploited successfully, it could allow the attacker to gain access within a target environment, collect other account credentials and bypass multifactor authentication (MFA) or other strong authentication requirements. As seen recently, this opens a gateway for attackers to deploy ransomware and perform other malicious activities.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of Citrix Bleed:
- Apply the latest patches provided by Citrix.
- Revoke active and persistent sessions, especially at the process/PID level.
- If the first two recommendations aren’t an option, isolate the vulnerable appliances on the network.
- Secure remote access tools by implementing application controls to manage and control the execution of software, including allowing remote access programs.
- Configure the Windows Registry to require user account control (UAC) approval for any PsExec operations.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers.
- Follow the extensive CISA remediation/detection methods and indicators of compromise (IOCs) for the Citrix Bleed vulnerability (Link in References).
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.