A critical information disclosure vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway has been exploited in the wild as a zero-day vulnerability beginning in late August 2023. This vulnerability is identified to be exploited remotely and with no human action required, even when attackers have no system privileges on a vulnerable system. Continue this Cybersecurity Threat Advisory to learn more about this threat and what are the recommendations.
What is the threat?
The identified vulnerability, CVE-2023-4966, carrying a severity rating of 9.8 out of possible 10, resides in the NetScaler application delivery controller and NetScaler Gateway. These provide load balancing and single sign-on in enterprise networks, respectively. This is stemming from a flaw in a currently unknown function. The information-disclosure vulnerability can be exploited so hackers can intercept encrypted communications passing between devices when configured as a gateway (vpn virtual server, ica proxy, cvpn, rdp proxy) or as an AAA virtual server, an unauthenticated attacker could exploit the device in order to hijack an existing authenticated session, depending on the permissions of the account they have hijacked, this could allow the attacker to gain additional access within a target environment and collect other account credentials. successful exploitation allows the attacker to bypass multifactor authentication (MFA) or other strong authentication requirements.
Why is it noteworthy?
Citrix’s NetScaler ADC and NetScaler Gateway appliances have long been valuable targets for attackers. In December 2022, Citrix patched a critical remote code execution (RCE) vulnerability, CVE-2022-27518, in Citrix NetScaler ADC and NetScaler Gateway, that was also exploited in the wild. Following the disclosure of CVE-2019-19781, another unauthenticated RCE vulnerability in NetScaler ADC and NetScaler Gateway appliances in late 2019, active exploitation began in early 2020 and it remained a popular vulnerability with a variety of attackers including Chinese state-sponsored threat actors, Iranian-based threat actors, Russian state-sponsored threat groups as well as ransomware groups. Due to this historical nature of exploitation against NetScaler ADC and NetScaler Gateway appliances, there is a strong urge for organizations to patch CVE-2023-4966 as soon as possible.
What is the exposure or risk?
Although a patch has been provided, a successful hijacking session may persist after the update to mitigate CVE-2023-4966 has been deployed. Additionally, session hijacking has been observed where session data was stolen prior to the patch deployment, and subsequently used by a threat actor. The authenticated session hijacking could then result in further downstream access based upon the permissions and scope of access that the identity or session was permitted. A threat actor could utilize this method to harvest additional credentials, laterally pivot, and gain access to additional resources within an environment.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of Citrix vulnerability:
- Isolate NetScaler ADC and Gateway appliances for testing and preparation of patch deployment.
Note: If the vulnerable appliances cannot be prioritized for patching, Mandiant recommends that the appliances have ingress IP address restrictions enforced to limit the exposure and attack surface until the necessary patches have been applied.
- Upgrade vulnerable NetScaler ADC and Gateway appliances to the latest firmware versions, which mitigate the vulnerability.
- Post upgrading, terminate all active and persistent sessions (per appliance).
- Connect to the NetScaler appliance using the CLI.
- To terminate all active sessions, run the following command: kill aaa session -all
- To clear persistent sessions across NetScaler load balancers, run the following command (where is the name of the virtual server / appliance): clear lb persistentSessions
- To clear existing ICA sessions, run the following command: kill icaconnection -all
- Credential Rotation
- Due to the lack of available log records or other artifacts of exploitation activity, as a precaution, organizations should consider rotating credentials for identities that were provisioned for accessing resources via a vulnerable NetScaler ADC or Gateway appliance.
- If there is evidence of suspicious activity or lateral movement within an environment, organizations should prioritize credential rotation for a larger scope of identities if single factor authentication (SFA) remote access is allowed for any resources from the Internet.
- If web shells or backdoors are identified on NetScaler appliances, Mandiant recommends rebuilding the appliances using a clean-source image, including the latest firmware.
Note: If a restoration of an appliance is required using a backup image, the backup configuration should be reviewed to ensure that there is no evidence of backdoors.
- If possible, reduce the external attack exposure and attack surface of NetScaler appliances by restricting ingress access to only trusted or predefined source IP address ranges.
For more in-depth information about the recommendations, please visit the following links:
- NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967 (citrix.com)
- The latest high-severity Citrix vulnerability under attack isn’t easy to fix | Ars Technica
- NVD – CVE-2023-4966 (nist.gov)
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.