Citrix NetScaler ADC and NetScaler Gateway vulnerabilities

High Level Summary of the Security Advisory

Citrix, a DaaS and VDI solutions company, which provides services that enable secure and efficient access to applications, desktops, and data from a variety of devices and locations. These services are designed to enhance productivity, flexibility, and data security for businesses through the utilization of virtualization, networking, and remote access solutions.

On October 10, 2023, Citrix issued an advisory (last updated on 23rd October), outlining several vulnerabilities discovered in NetScaler ADC (formerly known as Citrix ADC), a web application delivery controller, and NetScaler Gateway (formerly known as Citrix Gateway), used for offloading SSL from application servers.

As per the advisory, Citrix has identified the affected versions of NetScaler ADC and NetScaler Gateway as follows:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
• NetScaler ADC 13.1-FIPS before 13.1-37.164
• NetScaler ADC 12.1-FIPS before 12.1-55.300
• NetScaler ADC 12.1-NDcPP before 12.1-55.300

Since ​​Citrix has confirmed that the advisory was only relevant to NetScaler ADC and NetScaler Gateway products which are under direct customer management, customers relying on Citrix-managed cloud services or Citrix-managed Adaptive Authentication services are not required to take any action in response to this advisory.

As per the advisory, Citrix indicated that NetScaler ADC and NetScaler Gateway contain unauthenticated buffer-related vulnerabilities mentioned below:

The advisory received an update on October 23, 2023, on which Citrix posted an additional warning in the form of a blog post to corroborate the reports of incidents that align with session hijacking. Citrix also mentioned receiving credible reports of targeted attacks exploiting the CVE-2023-4966 vulnerability. These attacks facilitated session hijacking, enabling threat actors to circumvent authentication mechanisms entirely, including multi-factor authentication safeguards. By exploiting this vulnerability, attackers gained access to the memory of NetScaler ADC and Gateway appliances, allowing them to extract session cookies and attempt to bypass authentication. Therefore, even patched instances appear to be susceptible to exploitation, as the session tokens remain in memory. Citrix emphasized in the same post that version 12.1 of NetScaler ADC and NetScaler Gateway had reached its End-of-Life (EOL) status, and thus, customers were strongly urged to upgrade and patch their systems to the recommended versions.

Based on the information from various other sources, including The Register, BleepingComputer and SecurityWeek, the vulnerability identified as CVE-2023-4966 and disclosed on October 10, 2023, affecting Citrix NetScaler ADC and NetScaler Gateway (now goes by the alias 'Citrix Bleed’) permits unauthorized access to sensitive information on the devices. Mandiant, an American cybersecurity firm has confirmed the detection of zero-day exploitation of the 'Citrix Bleed' vulnerability, which surfaced late August 2023. Additionally, Mandiant has emphasized the challenge of investigating a vulnerable appliance for the exploitation of CVE-2023-4966 due to the absence of request (or error) logging on the webserver running on the appliance. To identify attempted exploitation requests, organizations will need to rely on web application firewalls (WAF) or other network appliances that record HTTP/S requests directed toward the NetScaler ADC or Gateway appliances.

Should I be concerned?

Maybe. It depends on if you have a relationship with Citrix. Click on the link below to find out if you have a relationship with this vendor. If you do, follow the recommendations below.

Note: This link specifically references vendor directory records. You may also want to search your Relationship List for "Citrix” to confirm.

What to do if you or your vendors have an active relationship with Citrix

As recommended by Citrix, customers using affected builds and having configured NetScaler ADC as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or as an AAA virtual server, must immediately install the recommended builds because the vulnerability CVE-2023-4966 has been identified as critical and no workarounds are available for it.

In addition to the aforementioned, NetScaler (Citrix) on its blog recommended killing all active and persistent sessions using the following commands:

kill icaconnection -all
kill rdp connection -all
kill pcoipConnection -all
kill aaa session -all
clear lb persistentSessions

Citrix has included a note underscoring the importance of maintaining the format while copying and pasting these commands.

The Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, which contains detection and mitigation guidance for observed exploitations of CVE-2023-4966 by threat actors against NetScaler ADC and NetScaler Gateway. Additionally, Mandiant has provided remediation guidance on the following link - Citrix NetScaler ADC/Gateway: CVE-2023-4966 Remediation.

We strongly advise promptly reaching out to the Citrix team and conducting a thorough investigation to assess any potential impact of these two vulnerabilities on your organization's systems, data, and network environment. Subsequently, implement the requisite remedial actions.

--------------------------------------------------------------

We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback please let us know at product@visotrust.com. 

For any additional questions, please reach out to your customer success manager.

Stay ahead of the curve with our Public Risk Notice Alerts!

Get the latest information and news to your inbox on cybersecurity breaches and third-party vendor risks that could impact your organization.

Sign up today to fortify your organization's security.

The VISO TRUST team

—----------—----------—-----