CVE-2023-4966 (Citrix Bleed) Active Exploitation
Citrix published a security bulletin on October 10, 2023, regarding a vulnerability (CVE-2023-4966) that affects the NetScaler ADC and NetScaler Gateway appliances and allows sensitive information disclosure. It enables unauthenticated attackers to steal sensitive data from on-premises appliances set as an AAA virtual server or a gateway.
Background:
Citrix issued bug fixes on October 10 and warned last week that threat actors are actively exploiting the vulnerability in the wild to perform session hijacking, allowing them to circumvent authentication, including multi-factor authentication measures.
Security researchers have begun raising the alarm about CVE-2023-4966 being widely exploited, with several threat actors, including ransomware gangs, attacking internet-accessible NetScaler ADC and Gateway systems recently.
CVE-2023-4966:
Citrix Bleed (CVE-2023-4966) is a severe vulnerability that affects Citrix Netscaler Gateway and Netscaler ADC products, which are used for load balancing, firewall implementation, traffic management, virtual private network (VPN), and user authentication. Attackers may be able to acquire sensitive information (including session authentication cookies) from susceptible appliances and hijack a user’s session by exploiting this vulnerability.
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerability:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
NetScaler ADC and NetScaler Gateway version 12.1 are no longer supported and are vulnerable. Customers who use Citrix-managed cloud services or Adaptive Authentication products are unaffected.
Impact:
If exploited, this vulnerability allows the attacker to view the contents of system memory. Memory leaked in this manner could contain a legitimate Netscaler AAA session cookie from a valid, authenticated user. An attacker might utilize this stolen session cookie to impersonate a user and create a fully authenticated session with the appliance without providing a username or password. It is vital to note that this session cookie is issued after authentication, which implies that MFA checks are satisfied but an attacker cannot acquire access.
On October 25, 2023, researchers published a proof-of-concept (PoC) exploit for Citrix Bleed, citing a buffer-related flaw in Citrix NetScaler ADC and NetScaler Gateway that allows sensitive information disclosure when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
Citrix Bleed is being exploited by at least four different threat organizations, at least one of which has automated the attack chain.
Confirmed malicious activity following successful exploitation and authentication include typical post-exploitation tactics, techniques, and procedures (TTPs) such as the following:
Host and network reconnaissance
- Net.exe
- Systeminfo
- whoami
Credential harvesting
- LSASS dumps
- Mimikatz
Lateral movement via RDP
Usage of specific tools and Windows utilities
- 7zip
- Certutil
- SoftPerfect network scanner (netscan.exe)
- csvde.exe
- local.exe
- nbtscan.exe
Deployment of RMM tools for persistence
- Atera
- AnyDesk
- SplashTop
Remediation:
Citrix advises admins to deploy updates promptly if they are running an impacted version. Citrix has also advised that all active and persistent sessions be terminated following successful patching. The following commands can be used to accomplish this:
- kill icaconnection -all
- kill rdp connection -all
- kill pcoipConnection -all
- kill aaa session -all
- clear lb persistentSessions
While patching is the best approach, Mandiant has provided a document outlining alternative measures that can be applied if an immediate update is not possible:
- Enforce ingress IP address restrictions on vulnerable appliances to limit exposure, and restrict access to trusted or predefined source IP address ranges to reduce external attack exposure.
- After upgrading, terminate all active and persistent sessions per appliance.
- Use the Command-Line Interface (CLI), connect to your appliance and run the command: clear lb persistentSessions
- Rotate credentials for identities accessing resources through a vulnerable NetScaler ADC or Gateway appliance.
- In the presence of suspicious activity or lateral movement, prioritize credential rotation for a broader range of identities.
- If web shells or backdoors are found on NetScaler appliances, rebuild them using a clean-source image with the latest firmware.
- If restoring from a backup image is necessary, review the backup configuration to ensure there are no backdoors.
Detection:
It is difficult to track and identify evidence of exploitation because Citrix appliance logs do not appear to provide any indicators or artifacts of successful exploitation. Mandiant has supplied a comprehensive list to assist you in scoping your investigation:
- Examining NetScaler appliances for backdoors or web shells.
- Mandiant has created a tool (https://github.com/mandiant/citrix-ioc-scanner-cve-2023-3519) to assist in the identification of such evidence.
- Detecting suspect logins and lateral movement from published systems or resources accessible via NetScaler appliances.
- Correlating authentication and login events (e.g., VDI systems published via NetScaler appliances) originating in geographic regions that are not part of a defined baseline.
- Correlating authentication and login events in the absence of a successful MFA challenge/response.
GreyNoise is monitoring suspicious IP addresses with the tag “Citrix ADC Netscaler CVE-2023-4966 Information Disclosure Attempt” (https://viz.greynoise.io/query?gnql=tags%3A%22Citrix%20ADC%20Netscaler%20CVE-2023-4966%20Information%20Disclosure%20Attempt%22).
It should be emphasized that these are only IP addresses that were discovered when scanning for the vulnerability. The presence of them in your logs should not be interpreted as proof of a targeted attack or attempted exploitation.