A critical information disclosure vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway has been exploited in the wild as a zero-day vulnerability. Organizations are urged to patch immediately.

Background

On October 10, Citrix published a security bulletin (CTX579459) that addressed a critical severity information disclosure vulnerability in Netscaler ADC (formerly known as Citrix ADC) and Netscaler Gateway (formerly known as Citrix Gateway).

On October 17, Mandiant released a blog post and remediation guidance document where they noted that exploitation of a zero-day vulnerability, later identified as CVE-2023-4966, was observed in late August.

In addition to CVE-2023-4966, Citrix patched one additional vulnerability in security bulletin CTX579459.

Analysis

CVE-2023-4966 is an information disclosure vulnerability in NetScaler ADC and NetScaler Gateway. When configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server, an unauthenticated attacker could exploit the device in order to hijack an existing authenticated session. Depending on the permissions of the account they have hijacked, this could allow the attacker to gain additional access within a target environment and collect other account credentials. Successful exploitation allows the attacker to bypass multifactor authentication (MFA) requirements.

CVE-2023-4966 was exploited as a zero-day

In a remediation guidance blog post by Mandiant, the firm acknowledges that they first observed exploitation of the then zero-day vulnerability in late August. While no further information was provided on who might be behind the attacks, Mandiant’s investigation resulted in some remediation and risk reduction advice.

As part of their guidance, Mandiant notes that an attacker's session could persist even after a device has been patched. In order to resolve this, the following command can be run using the command line interface (CLI):

Image Source: Mandiant, October 2023

In addition, Mandiant offers recommendations and investigation suggestions to determine if a device may have been impacted. Mandiant states that they have “not identified any available logs or other artifacts resident on NetScaler appliances that record evidence of exploitation.” We strongly recommend reviewing their guidance and following the suggestions outlined.

ADC and Gateway Historically Targeted by Attackers

Citrix’s NetScaler ADC and NetScaler Gateway appliances have long been valuable targets for attackers. In December 2022, Citrix patched a critical remote code execution (RCE) vulnerability, CVE-2022-27518, in Citrix NetScaler ADC and NetScaler Gateway, that was also exploited in the wild.

Following the disclosure of CVE-2019-19781, another unauthenticated RCE vulnerability in NetScaler ADC and NetScaler Gateway appliances in late 2019, active exploitation began in early 2020 and it remained a popular vulnerability with a variety of attackers including Chinese state-sponsored threat actors, Iranian-based threat actors, Russian state-sponsored threat groups as well as ransomware groups. Additionally, CVE-2019-19781 was featured as one of the Top 5 vulnerabilities in our 2020 Threat Landscape Retrospective report.

Due to the historical nature of exploitation against NetScaler ADC and NetScaler Gateway appliances, we strongly urge organizations to patch CVE-2023-4966 as soon as possible.

Proof of concept

At the time that this blog post was published, there was no proof-of-concept available for CVE-2023-4966.

Solution

Citirix has released patches for CVE-2023-4966 as well as the DoS vulnerability, CVE-2023-4967, as outlined in the table below:

Citrix also notes that NetScaler ADC and NetScaler Gateway versions 12.1 is End of Life (EOL), and users are urged to upgrade to a supported version immediately.

Users of Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to perform any actions according to the Citirx security bulletin, which clarifies that it only applies to customer-managed servers.

Identifying affected systems

A list of Tenable plugins to identify affected systems can be located here. This link will display all available plugins for both of these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

• Citrix Security Bulletin (CTX579459)
• Mandiant Remediation Guidance Blog Post
• Mandiant Remediation Guidance PDF

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.