Cybersecurity Threat Advisory: Citrix Bleed vulnerability actively exploited

What is the threat?

For context, CVE-2023-4966, originally reported in October, resides in the NetScaler Application Delivery Controller and NetScaler Gateway. These provide load balancing and single sign-on for enterprise networks, respectively. The information-disclosure vulnerability can be exploited by malicious actors to intercept encrypted communications passing between devices when configured as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or as a AAA virtual server. An unauthenticated attacker could exploit the device to hijack an existing authenticated session. Depending on the permissions of the account they’ve hijacked, this could allow the attacker to gain additional access within a target environment and collect other account credentials. Successful exploitation also allows the attacker to bypass multifactor authentication (MFA) or other strong authentication requirements. The following versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerability:

NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
NetScaler ADC 13.1-FIPS before 13.1-37.164
NetScaler ADC 12.1-FIPS before 12.1-55.300
NetScaler ADC 12.1-NDcPP before 12.1-55.300

NetScaler ADC and NetScaler Gateway version 12.1 are now end-of-life (EOL) and are also vulnerable.

Why is it noteworthy?

An advisory was published by CISA, the FBI, and cybersecurity officials in Australia on Tuesday detailing that the LockBit ransomware gang are actively exploiting CVE-2023-4966. It’s sited that while thousands of organizations are still vulnerable, more than 300 entities have been warned about their exposure to the issue through CISA’s Ransomware Vulnerability Warning Program. One of the major companies that has been targeted is Boeing, whose parts and distribution business was attacked by LockBit through the vulnerability earlier this month.

Citrix reiterated its previous warning that patching is not enough to protect affected instances, because compromised NetScaler sessions will continue to be vulnerable after patching. CISA offered remediation/detection methods and indicators of compromise (IOCs) for Citrix Bleed vulnerability.

What is the exposure or risk?

The Citrix Bleed vulnerability can lead to significant exposure and/or risk for its consumers. If exploited successfully, it could allow the attacker to gain access within a target environment, collect other account credentials and bypass multifactor authentication (MFA) or other strong authentication requirements. As seen recently, this opens a gateway for attackers to deploy ransomware and perform other malicious activities.

What are the recommendations?

Barracuda MSP recommends the following actions to limit the impact of Citrix Bleed:

Apply the latest patches provided by Citrix.
Revoke active and persistent sessions, especially at the process/PID level.
If the first two recommendations aren’t an option, isolate the vulnerable appliances on the network.
Secure remote access tools by implementing application controls to manage and control the execution of software, including allowing remote access programs.
Configure the Windows Registry to require user account control (UAC) approval for any PsExec operations.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers.
Follow the extensive CISA remediation/detection methods and indicators of compromise (IOCs) for the Citrix Bleed vulnerability (Link in References).

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.

Categories

Tags

Archives