TrollEye Security

A New Critical Citrix Bug Has Been
Exploited as a Zero-Day

Few threats have garnered as much attention recently as the critical security vulnerability found in Citrix NetScaler. This flaw, identified as CVE-2023-4966, was patched last week, yet it continues to be a formidable threat for organizations, as active exploitation of the bug traces back to at least August 2023.

Organizations are strongly advised to terminate all active sessions to mitigate the risk, because even after patch deployment, authenticated sessions can linger, providing a conduit for threat actors to use stolen session data to gain unauthorized access to resources until such sessions are terminated.

At its core, CVE-2023-4966 is an information-disclosure vulnerability that opens the door for cyberattackers to hijack existing authenticated sessions, potentially circumventing multifactor authentication (MFA). The consequence of this is a full-scale control over NetScaler environments, pivotal in managing application delivery within enterprises.

Zero-Day Exploitation Since August

The exploitation of this bug has been traced back to late summer, orchestrated by an unidentified threat actor. The principal focus of the ongoing exploitation seems to be cyberespionage, targeting sectors like professional services, technology, and government organizations.

It is extremely likely that other financially motivated threat actors will jump on the bandwagon over time. This anticipation is rooted in the historical laxity in mitigating known threats against Citrix gear. A glaring example is the earlier revelation of a critical pre-authentication remote code-execution (RCE) vulnerability in Citrix NetScaler gateways (CVE-2023-3519, CVSS score of 9.8) that remained exploited as a zero-day for a month before a fix was released in July. The aftermath saw thousands of credential-theft attacks, peaking in August as patching trailed.

The recent bug affects customer-managed Citrix NetScaler ADC and NetScaler Gateway installations, leaving cloud instances unscathed. The Citrix bug advisory and Mandiant have provided in-depth remediation guidance for CVE-2023-4966, urging a swift application of the available update.

Fixing and Mitigation: A Pragmatic Approach

Beyond applying the Citrix patch, Mandiant delineates additional remediation steps for NetScaler ADC/Gateway administrators, encompassing ingress IP address restriction if immediate patching is unfeasible, session termination post-upgrade, credential rotation for identities accessing vulnerable appliances, and stringent monitoring for suspicious activities, especially with single-factor authentication.

Furthermore, Mandiant recommends rebuilding appliances with the latest clean-source image in case of detected web shells or backdoors, and ensuring no backdoors are present in backup configurations if restoring from backup.

Moreover, the importance of firmware upgrades to specified versions is emphasized to bolster the security posture against this persistent vulnerability.

A Recapitulation of Persisting Threats

This is not a solitary incident of zero-day flaws in Citrix products; earlier this year, another zero-day flaw identified as CVE-2023-3519 was exploited in early July, which was patched a few weeks later. The recurring vulnerabilities underscore the imperative for a proactive cybersecurity framework, not only in addressing known threats but also in pre-empting potential future exploits.

Thank you for reading this news update, if you would like to read more about TrollEye Security’s services, click here.