Citrix urges 'immediate' patch for critical NetScaler bug as exploit code made public
At this point, just assume your kit is compromised
Citrix has urged admins to "immediately" apply a fix for CVE-2023-4966, a critical information disclosure bug that affects NetScaler ADC and NetScaler Gateway, admitting it has been exploited.
Plus, there's a proof-of-concept exploit, dubbed Citrix Bleed, now on GitHub. So if you are using an affected build, at this point assume you've been compromised, apply the update, and then kill all active sessions per Citrix's advice from Monday.
The company's first issued a patch for compromised devices on October 10, and last week Mandiant warned that criminals — most likely cyberspies — have been abusing this hole to hijack authentication sessions and steal corporate info since at least late August.
Six days after the Google-owned threat intel firm sounded the alarm, Citrix weighed in.
"If you are using affected builds and have configured NetScaler ADC as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or as an AAA virtual server, we strongly recommend that you immediately install the recommended builds," the vendor said in a Cloud Software Group blog post about CVE-2023-4966 published on Monday.
"We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability," Citrix added.
Oddly, Citrix didn't release any additional details about these targeted attacks, which Mandiant last week said were used to hit tech firms, government organizations, and professional services companies.
- Critical Citrix bug exploited by data thieves weeks before being patched
- It's 2023 and Microsoft WordPad can be exploited to hijack vulnerable systems
- Cisco fixes critical IOS XE bug but malware crew way ahead of them
- 1Password confirms attacker tried to pull list of admin users after Okta intrusion
A Citrix spokesperson declined to comment on how many organizations have been compromised, and who or what the criminals are targeting in the attacks.
"The security bulletin and blog are the extent of our external statements at this time," the Citrix spokesperson told The Register.
Also last week, Mandiant Consulting CTO Charles Carmakal warned that "organizations need to do more than just apply the patch — they should also terminate all active sessions. These authenticated sessions will persist after the update to mitigate CVE-2023-4966 has been deployed."
Citrix, in the Monday blog, also echoed this mitigation advice and told customers to kill all active and persistent sessions using the following commands:
kill icaconnection -all
kill rdp connection -all
kill pcoipConnection -all
kill aaa session -all
clear lb persistentSessions
The US Cybersecurity and Infrastructure Security Agency (CISA) last Wednesday added CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, and classified the bug as "unknown" in the "used in ransomware campaigns" column. The addition means federal agencies, and those that do business with them, should have this one fixed sharpish.
While the attacks to date are more likely linked to snooping campaigns, "we anticipate other threat actors with financial motivations will exploit this over time," Carmakal said previously. But let's face it, they usually do. ®