Citrix

A critical vulnerability tracked as CVE-2023-4966 in Citrix NetScaler ADC/Gateway devices has been actively exploited as a zero-day since late August, security researchers announced.

The security issue is an information disclosure and received a fix last week. It allows attackers to access secrets in appliances configured as gateways of authentication, authorization, and accounting (AAA) virtual servers.

In a security bulletin on October 10 with few technical details, Citrix strongly urged customers to install the available update without delay.

Wiz

A report from Mandiant disclosed that it found signs of CVE-2023-4966 being exploited in the wild since August for stealing authentication sessions and hijacking accounts.

"Mandiant has identified zero-day exploitation of this vulnerability in the wild beginning in late August 2023," says the cybersecurity company.

"Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing multifactor authentication or other strong authentication requirements" - Mandiant

The company also warns that hijacked sessions persist even after installing the security update. Depending on the permissions of the hijacked account, the attackers may leverage the method to move laterally or to breach more accounts.

Security researchers observed CVE-2023-4966 being exploited for access on infrastructure belonging to government organizations and technology companies.

Fixing and mitigation

Apart from applying the patch from Citrix, Mandiant published a document with additional remediation recommendations for NetScaler ADC/Gateway administrators with the following suggestions:

  1. Restrict ingress IP addresses if immediate patching isn't feasible.
  2. Terminate all sessions post-upgrade and run the CLI command: clear lb persistentSessions <vServer>.
  3. Rotate credentials for identities accessing vulnerable appliances.
  4. If suspicious activity is detected, especially with single-factor authentication, rotate a broader scope of credentials.
  5. For detected web shells or backdoors, rebuild appliances with the latest clean-source image.
  6. If restoring from backup, ensure no backdoors are in the backup configuration.
  7. Limit external attack exposure by restricting ingress to trusted IPs.

Also, upgrading the appliances to the following firmware versions should be prioritized:

  • NetScaler ADC and NetScaler Gateway 14.1-8.50 and later
  • NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
  • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0 
  • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS 
  • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS 
  • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NdcPP

This is the second zero-day flaw Citrix fixes in its products this year. A previous one, identified as CVE-2023-3519, was exploited in the wild in early July and received a fix a few of weeks later.

tines

Break down IAM silos like Bitpanda, KnowBe4, and PathAI

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Related Articles:

Google fixes two Android zero days exploited in attacks, 107 flaws

Cisco warns of unpatched AsyncOS zero-day exploited in attacks

New Windows zero-day exploited by 11 state hacking groups since 2017

Hackers exploited Citrix, Cisco ISE flaws in zero-day attacks

Critical RCE flaw impacts over 115,000 WatchGuard firewalls