Summary:

Our Security Partner (Secureworks Counter Threat Unit researchers) are aware of at least two incidents where affiliates of the LockBit ransomware group have exploited the Citrix Bleed vulnerability (CVE-2023-4966) to access environments. It is likely that other cybercriminals will begin to use working exploits. Citrix disclosed this critical information disclosure vulnerability on October 10, 2023, and the advisory notes that active exploitation has been observed. The issue affects NetScaler ADC and NetScaler Gateway appliances that are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

Exploitation of this vulnerability allows attackers to obtain session tokens that bypass the use of credentials to log in, including multi-factor authentication. Even if devices are patched, it is possible that session tokens will persist.

Recommended actions:

Our Security Partner (Secureworks Counter Threat Unit researchers) recommend that customers review the Citrix advisory and update vulnerable versions of the software as appropriate in their environments. Additionally, affected customers should run the commands outlined in the NetScaler blog post as appropriate to prevent the persistence of session tokens.

Questions:

If you have any questions or concerns about this advisory, please contact us via our support desk – support@empsn.org.uk

References:

• NetScaler ADC and NetScaler Gateway Security Bulletin for CVE- and CVE (citrix.com)
• CVE-2023-4966: NetScaler Critical Security Update Now Available
• NVD – CVE (nist.gov)