Citrix Bleed: Vulnerability CVE-2023-4966 leaks session tokens in NetScaler ADC and Gateway, PoC available

Sicherheit (Pexels, allgemeine Nutzung)[German]I would guess that Citrix users on unpatched instances are "under fire" once again, because more information is now available on the recently disclosed vulnerability CVE-2023-4966. Under the term "Citrix Bleed", security researchers have described how Citrix NetScaler ADC and Gateway leaked session tokens to attackers and presented a proof of concept (PoC). Citrix had published vulnerability advisories in early October 2023.


Advertising

Citrix has warned about CVE-2023-4966 vulnerability

Citrix has issued security alert CTX579459 (NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967) as of October 10, 2023. Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). NetScaler ADC and NetScaler Gateway contain the following unauthenticated buffer vulnerabilities:

  • CVE-2023-4966: Sensitive information disclosure vulnerability; CVSS Index 9,4;
  • CVE-2023-4967: Denial of service vulnerability; CVSS Index 8,2;

Only customer-managed NetScaler ADC and NetScaler Gateway products are affected. Affected customers have been asked to install appropriate updated versions of NetScaler ADC and NetScaler Gateway as soon as possible. I had described the details in the blog post Citrix NetScaler ADC and Gateway vulnerabilities (CVE-2023-4966 and CVE-2023-4967).

Citrix NetScaler is a network device that provides load balancing, firewall and VPN services. NetScaler Gateway usually refers to the VPN and authentication components, while ADC refers to the load balancing and traffic management functions. The products are always good for problems and vulnerabilities.

Urgent warning of exploitation

I read a couple of days ago at the colleagues of Bleeping Computer that Citrix asked administrators to urgently patch the NetScaler vulnerability CVE-2023-4966. Mandiant had discovered an ongoing exploit of this vulnerability. Mandiant stated that threat actors have been exploiting the CVE-2023-4966 0-day vulnerability since late August 2023 to steal authentication sessions and hijack accounts, allowing attackers to bypass multifactor authentication or other strong authentication requirements.

Citrix Bleed: PoC on CVE-2023-4966

Now security researchers from Assenote have presented their analysis of the CVE-2023-4966 vulnerability based on a reverse analysis of the patch under the title "Citrix Bleed". The following post on BlueSky points to the article Citrix Bleed: Leaking Session Tokens with CVE-2023-4966 with the details.


Advertising

The security researchers were a bit interested in the CVE-2023-4966 vulnerability, which was described as "disclosure of sensitive information" and given a CVSS score of 9.4. The high CVSS score for a vulnerability that only addressed information disclosure and the mention of "buffer-related vulnerabilities" piqued the interest of security researchers.

Their goal was to understand the vulnerability and develop a check for our attack surface management platform. The security researchers succeeded in this endeavor and the were able to present a proof of concept (PoC), which is described in detail in the article.


Advertising

This entry was posted in devices, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).