[German]I would guess that Citrix users on unpatched instances are "under fire" once again, because more information is now available on the recently disclosed vulnerability CVE-2023-4966. Under the term "Citrix Bleed", security researchers have described how Citrix NetScaler ADC and Gateway leaked session tokens to attackers and presented a proof of concept (PoC). Citrix had published vulnerability advisories in early October 2023.
Advertising
Citrix has warned about CVE-2023-4966 vulnerability
Citrix has issued security alert CTX579459 (NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967) as of October 10, 2023. Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). NetScaler ADC and NetScaler Gateway contain the following unauthenticated buffer vulnerabilities:
- CVE-2023-4966: Sensitive information disclosure vulnerability; CVSS Index 9,4;
- CVE-2023-4967: Denial of service vulnerability; CVSS Index 8,2;
Only customer-managed NetScaler ADC and NetScaler Gateway products are affected. Affected customers have been asked to install appropriate updated versions of NetScaler ADC and NetScaler Gateway as soon as possible. I had described the details in the blog post Citrix NetScaler ADC and Gateway vulnerabilities (CVE-2023-4966 and CVE-2023-4967).
Citrix NetScaler is a network device that provides load balancing, firewall and VPN services. NetScaler Gateway usually refers to the VPN and authentication components, while ADC refers to the load balancing and traffic management functions. The products are always good for problems and vulnerabilities.
Urgent warning of exploitation
I read a couple of days ago at the colleagues of Bleeping Computer that Citrix asked administrators to urgently patch the NetScaler vulnerability CVE-2023-4966. Mandiant had discovered an ongoing exploit of this vulnerability. Mandiant stated that threat actors have been exploiting the CVE-2023-4966 0-day vulnerability since late August 2023 to steal authentication sessions and hijack accounts, allowing attackers to bypass multifactor authentication or other strong authentication requirements.
Citrix Bleed: PoC on CVE-2023-4966
Now security researchers from Assenote have presented their analysis of the CVE-2023-4966 vulnerability based on a reverse analysis of the patch under the title "Citrix Bleed". The following post on BlueSky points to the article Citrix Bleed: Leaking Session Tokens with CVE-2023-4966 with the details.
Advertising
The security researchers were a bit interested in the CVE-2023-4966 vulnerability, which was described as "disclosure of sensitive information" and given a CVSS score of 9.4. The high CVSS score for a vulnerability that only addressed information disclosure and the mention of "buffer-related vulnerabilities" piqued the interest of security researchers.
Their goal was to understand the vulnerability and develop a check for our attack surface management platform. The security researchers succeeded in this endeavor and the were able to present a proof of concept (PoC), which is described in detail in the article.
Advertising