Citrix has released a fresh warning to NetScaler ADC and Gateway products users to update the device’s software as soon as possible due to an increase in exploitation and the public release of proof-of-concept (PoC) exploit code.
The bug, designated CVE-2023-4966 and now nicknamed “Citrix Bleed”, allows threat actors to hijack authenticated sessions from Citrix devices that perform load balancing, firewall implementation, traffic management, VPN, and user authentication. Threat actors can then use the stolen authenticated sessions to bypass multifactor authentication or other strong authentication parameters as long as it remains valid, even after the vulnerability has been patched.
The patch was released October 10.
Source: Bleeping Computer
Analysis
Citrix’s NetScaler devices have a long track record of being exploited by nation-state actors and cybercriminals alike. Now that exploit code for this specific vulnerability is publicly available, it’s likely that attacks on unpatched Citrix devices will become even more widespread.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in devices like Citrix NetScaler ADC and Gateway. This research contributes to the timely deployment of signatures into Covalence, our flagship security solution, to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when devices are detected in their environment and are encouraged to review these AROs as quickly as possible.
Users of Citrix NetScaler ADC and Gateway devices should apply the latest security patch as soon as possible. Additionally, users should terminate all sessions post-upgrade in case they have been compromised and inspect access logs for suspicious activity.
Related articles