This live blog contains information regarding a vulnerability in Citrix ADC and Citrix Gateway. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on October 25, 2023.
Update 25 October 2023
11:00 | On the 25th of October details regarding exploitation of the “Citrix bleed” vulnerability have been published in a blog by Assetnote. The vulnerability was already exploited by specific attacker groups. With the publication, exploitation is now possible by a larger group of attackers.
The blog by Assetnote can be found here: https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966
Citrix has published a mitigation guide, including some additional steps along with applying the software updates. This guide can be found here: https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/
Update 19 October 2023
13:30 | On the 10th of October, Citrix has released a security bulletin describing two vulnerabilities. The most severe vulnerability is an information disclosure vulnerability in Citrix ADC and Citrix Gateway, registered as CVE-2023-4966. This vulnerability allows a remote, unauthenticated attacker to retrieve sensitive information.
At the time of publication, the information that could be retrieved was unknown. On the 17th of October cyber security company Mandiant has published a blog stating public exploitation of the vulnerability. Additionally, they reveal that session information of active users is leaked when exploited. This gives the attacker the ability to perform a session take-over and harvest additional credentials.
Exploitation of CVE-2023-4966 has been observed in the wild, but exploit code or instructions are not publicly available. Citrix has released software updates. It is highly recommended to apply these security patches as soon as possible, but additional steps are required for mitigation. Mandiant has provided a mitigation guide.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
Vulnerability information
On the 10th of October, Citrix has released a security bulletin describing two vulnerabilities. The most severe vulnerability is an information disclosure vulnerability in Citrix ADC and Citrix Gateway, registered as CVE-2023-4966. This vulnerability allows a remote, unauthenticated attacker to retrieve sensitive information.
At the time of publication, the information that could be retrieved was unknown. On the 17th of October cyber security company Mandiant has published a blog stating public exploitation of the vulnerability. Additionally, they reveal that session information of active users is leaked when exploited. This gives the attacker the ability to perform a session take-over and harvest additional credentials.
Exploitation of CVE-2023-4966 has been observed in the wild, but exploit code or instructions are not publicly available. Citrix has released software updates. It is highly recommended to apply these security patches as soon as possible, but additional steps are required for mitigation. Mandiant has provided a mitigation guide.
Potential Risk
The vulnerability CVE-2023-4966 has a CVSS score of 9.4. The CVSS scale runs from 0 to 10. A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact. The CVE-2023-4966 vulnerability is an information disclosure vulnerability in Citrix ADC and Citrix Gateway. The impact of the vulnerability is dependant of the information being leaked, which partially explains the relatively low CVSS score of 9.4.
In this case the vulnerability provides an attacker the ability to steal session information, which can be used to perform a session take-over. Mandiant stated that it is possible for the attacker to harvest additional credentials. Downstream access is limited by the permissions and scope of access of the identity or session that was stolen.
Exploitation of CVE-2023-4966 has been observed in the wild, but exploit code or instructions are not publicly available. Combined with the exposed character of the affected solutions, makes this vulnerability very critical which must be remediated as soon as possible.
Detail info
Citrix ADC or Citrix Gateway solutions configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server are vulnerable for CVE-2023-4966. Citrix has noted that customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not impacted by this vulnerability.
The following supported versions of NetScaler ADC and NetScaler Gateway are vulnerable:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable. Customers are strongly recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
Security updates are available, please upgrade to one of the following versions:
- NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
- NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
Installation of the security update is not sufficient to remediate the risk of this vulnerability. Mandiant provides additional remediation steps in their remediation guide. This document can be found here: https://services.google.com/fh/files/misc/citrix-netscaler-adc-gateway-cve-2023-4966-remediation.pdf
If any suspicious or malicious activity is detected in relation to this article, please contact T-CERT. The Tesorion Computer Emergency Response Team offers specialist support 24/7. In emergencies, we immediately conduct an initial assessment by telephone and do all we can to get the situation under control as soon as possible.
Subscribe
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.
Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.
