Time may be running short for users of Citrix’s NetScaler Application Delivery Controller (ADC) and NetScaler Gateway products who have not yet patched against two recently disclosed vulnerabilities to do so, after cyber researchers started to see elevated levels of activity targeting them.
Disclosed on 10 October, and possibly exploited as long ago as August, the two flaws are tracked as CVE-2023-4966 and CVE-2023-4967. The first of these is a sensitive information disclosure vulnerability carrying a Common Vulnerability Scoring System (CVSS) score of 9.4, and the second is a denial-of-service vulnerability carrying a CVSS score of 8.2.
The growing volume of threat actor activity is targeting the first of these vulnerabilities, according to Citrix. In a statement, the company said: “We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability.”
Citrix said it strongly recommended users of the affected products to immediately install the updated, recommended builds, as well as killing all active and persistent sessions as a precaution. More details of how to do so are available from Citrix. Note that there are no further workarounds available.
Exploitation of CVE-2023-4966 may escalate still further after the publication of a public proof of concept (PoC) by researchers at AssetNote on 25 October. In his write-up, AssetNote’s Dylan Pindur revealed how he was able to exploit the vulnerability in order to obtain a valid session token.
“Like previous issues with Citrix NetScaler, the issue was made worse by a lack of other defence-in-depth techniques and mitigations,” wrote Pindur. “Not clearing sensitive data from what appear to be temporary buffers and stricter validation on client-provided data being the two most obvious mitigations which could have been applied to minimise the damage.”
Since this, multiple sources have stated that scanning activity has increased. In a statement posted to X, the website formerly known as Twitter, internet security specialist ShadowServer said its honeypot sensors had seen a “sharp increase in queries” related to CVE-2023-4966.
As of 23 October, ShadowServer said it had observed around 9,000 vulnerable NetScaler instances worldwide – about 4,100 in the US, 850 in Germany and 480 in the UK.
Rapid7 also confirmed it was seeing more activity. In a statement, it said: “Rapid7 MDR is investigating potential exploitation of this vulnerability in a customer environment but is not yet able to confirm with high confidence that CVE-2023-4966 was the initial access vector.
“Rapid7 recommends taking emergency action to mitigate CVE-2023-4966. Threat actors, including ransomware groups, have historically shown strong interest in Citrix NetScaler ADC vulnerabilities. We expect exploitation to increase.”
Between them, Citrix NetScaler ADC and Gateway oversee a number of networking and security services, including load balancing, firewalls and virtual private networks, and as such, threat actors know to look out for new vulnerabilities in the product family and are quick to exploit them.
Earlier this year, three zero-days – CVE-2023-3466, a reflected cross-site scripting flaw; CVE-2023-3467, a privilege escalation vulnerability; and CVE-2023-3519, an unauthenticated remote code execution (RCE) bug – came to widespread attention after the third, the RCE flaw, was exploited by a Chinese state advanced persistent threat (APT) group to drop a webshell on a non-production NetScaler ADC environment at an unnamed critical national infrastructure (CNI) operator.
The threat actor used this webshell to perform discovery actions and exfiltrate data from the victim’s active directory (AD) and then tried to move laterally to another domain controller, although at this point they were discovered when the appliance’s network-segmentation controls thwarted this attempt.