top of page
4 min read

Critical Vulnerability CVE-2023-4966: Citrix Bleed in NetScaler ADC and Gateway Systems

CVE Image for report on CVE-2023-4966

Executive Summary

CVE-2023-4966, also known as Citrix Bleed, is a critical vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway. This vulnerability, which has a CVSS score of 9.4, allows for sensitive information disclosure due to a buffer overflow issue when the application is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The vulnerability has been actively exploited in the wild, posing a significant risk to organizations using these Citrix products. Immediate action is required to update affected systems and mitigate potential exploitation.

Technical Information

CVE-2023-4966 is a buffer overflow vulnerability that affects Citrix NetScaler ADC and NetScaler Gateway. The vulnerability arises when the application is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The buffer overflow issue allows an unauthenticated remote threat actor to access memory outside the intended buffer boundaries, potentially leading to the disclosure of sensitive information, including session authentication tokens.

The affected products and versions are as follows: - Citrix NetScaler ADC (formerly Citrix ADC) - Citrix NetScaler Gateway (formerly Citrix Gateway) - Versions: - 14.1 before 14.1-8.50 - 13.1 before 13.1-49.15 - 13.0 before 13.0-92.19 - 13.1-FIPS before 13.1-37.164 - 12.1-FIPS before 12.1-55.300 - 12.1-NDcPP before 12.1-55.300

The vulnerability has been assigned a CVSS score of 9.4, indicating its critical nature. The buffer overflow issue can be exploited by an unauthenticated remote attacker to access memory outside the intended buffer boundaries, potentially leading to the disclosure of sensitive information, including session authentication tokens.

Exploitation in the Wild

CISA and other cybersecurity entities have observed active, targeted exploitation of CVE-2023-4966. Exploits of this vulnerability on unmitigated appliances have been reported. The vulnerability allows an unauthenticated remote threat actor to access memory outside the intended buffer boundaries, potentially leading to the disclosure of sensitive information, including session authentication tokens.

Several proof-of-concept (POC) exploits have been published, demonstrating how attackers can leverage this vulnerability to leak session tokens from vulnerable Citrix ADC instances. The following repositories provide detailed scripts and instructions for exploiting CVE-2023-4966:

  1. Chocapikk's Repository: GitHub - Chocapikk/CVE-2023-4966 (https://github.com/Chocapikk/CVE-2023-4966)
  2. RevoltSecurities' Repository: GitHub - RevoltSecurities/CVE-2023-4966 (https://github.com/RevoltSecurities/CVE-2023-4966)
  3. Assetnote's Exploit: GitHub - assetnote/exploits (https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966)
  4. Certat's Log Checker: GitHub - certat/citrix-logchecker (https://github.com/certat/citrix-logchecker)
  5. Dinosn's Repository: GitHub - dinosn/citrix_cve-2023-4966 (https://github.com/dinosn/citrix_cve-2023-4966)
  6. Mlynchcogent's POC: GitHub - mlynchcogent/CVE-2023-4966-POC (https://github.com/mlynchcogent/CVE-2023-4966-POC)
  7. Rapid7's Metasploit Module: GitHub - rapid7/metasploit-framework (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/citrix_bleed_cve_2023_4966.rb)
  8. Sanjai-AK47's Repository: GitHub - sanjai-AK47/CVE-2023-4966 (https://github.com/sanjai-AK47/CVE-2023-4966)

APT Groups using this vulnerability

Several Advanced Persistent Threat (APT) groups have been observed exploiting CVE-2023-4966. These groups are known for targeting critical infrastructure and high-value targets across various sectors and countries. The exploitation of this vulnerability has been particularly prevalent in sectors such as finance, healthcare, and government. Notable APT groups include APT41, APT29, and FIN7, which have a history of targeting organizations in the United States, Europe, and Asia.

Affected Product Versions

The following product versions are affected by CVE-2023-4966: - Citrix NetScaler ADC (formerly Citrix ADC) - Citrix NetScaler Gateway (formerly Citrix Gateway) - Versions: - 14.1 before 14.1-8.50 - 13.1 before 13.1-49.15 - 13.0 before 13.0-92.19 - 13.1-FIPS before 13.1-37.164 - 12.1-FIPS before 12.1-55.300 - 12.1-NDcPP before 12.1-55.300

Workaround and Mitigation

Citrix has released security updates to address this vulnerability. Organizations are urged to update their NetScaler ADC and NetScaler Gateway appliances to the following versions: - NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases - NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1 - NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0 - NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS - NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS - NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP

In addition to updating to the fixed versions, organizations should take the following steps: 1. Invalidate Active Sessions: Invalidate all active or persistent session tokens to prevent potential session hijacking. 2. Monitor for Malicious Activity: Continuously monitor for any signs of malicious activity and report any positive findings to CISA or relevant authorities. 3. Implement Network Segmentation: Segment critical systems and networks to limit the potential impact of an exploit. 4. Enable Multi-Factor Authentication (MFA): Implement MFA to add an additional layer of security to user accounts.

References

  • CISA Guidance on CVE-2023-4966: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  • Chocapikk's GitHub Repository: https://github.com/Chocapikk/CVE-2023-4966
  • RevoltSecurities' GitHub Repository: https://github.com/RevoltSecurities/CVE-2023-4966
  • Assetnote's Exploit Repository: https://github.com/assetnote/exploits/tree/main/citrix/CVE-2023-4966
  • Certat's Log Checker: https://github.com/certat/citrix-logchecker
  • Dinosn's GitHub Repository: https://github.com/dinosn/citrix_cve-2023-4966
  • Mlynchcogent's POC: https://github.com/mlynchcogent/CVE-2023-4966-POC
  • Rapid7's Metasploit Module: https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/citrix_bleed_cve_2023_4966.rb
  • Sanjai-AK47's GitHub Repository: https://github.com/sanjai-AK47/CVE-2023-4966

Rescana is here for you

At Rescana, we understand the critical importance of safeguarding your organization's digital assets. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you identify, assess, and mitigate vulnerabilities like CVE-2023-4966. We provide comprehensive threat intelligence, continuous monitoring, and actionable insights to ensure your organization remains secure. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.

5 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page