Critical Citrix NetScaler bug exploited in the wild since August

Attacks spark concern as threat actors exploit multifactor authentication bypass techniques

Critical Citrix NetScaler bug exploited in the wild since August

Image:
Critical Citrix NetScaler bug exploited in the wild since August

A critical zero-day vulnerability affecting Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway has been actively exploited by malicious actors, raising alarms in the government and technology sectors.

As a result, organisations are being urged to patch their systems immediately to avoid potential data breaches and security compromises.

Citrix recently addressed two unauthenticated buffer-related vulnerabilities, indexed as CVE-2023-4966 and CVE-2023-4967, both of which affected multiple versions of NetScaler ADC and NetScaler Gateway.

However, on Tuesday, Citrix revised its advisory to emphasise that exploits of CVE-2023-4966 on unpatched appliances have been observed in the wild.

The vulnerability affects the following versions of NetScaler ADC and Gateway appliances:

NetScaler ADC 12.1, which is now End-of-Life (EOL), remains vulnerable to the exploit.

Only appliances configured as Gateways (VPN virtual servers, ICA Proxy, CVPN, and RDP Proxy) or authorisation and accounting (AAA) virtual servers are susceptible. Customers utilising Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not affected.

Mandiant, a security firm and subsidiary of Google, issued an alert on Tuesday saying it had identified zero-day exploitation of CVE-2023-4966 beginning in late August 2023. The cybercampaign primarily targeted professional services, technology firms and government organisations.

Most alarming is the threat actors' demonstrated multifactor authentication (MFA) bypass techniques, necessitating additional measures beyond patching safeguard systems.

Successful exploitation of CVE-2023-4966 could enable attackers to hijack existing authenticated sessions, thereby circumventing MFA and other robust authentication measures.

Mandiant said these compromised sessions could persist even after the implementation of the CVE-2023-4966 update. Additionally, they identified cases of session hijacking where session data was pilfered prior to the installation of patches and subsequently exploited by an unidentified threat actor.

"The authenticated session hijacking could then result in further downstream access based upon the permissions and scope of access that the identity or session was permitted," Mandiant explained.

"A threat actor could utilise this method to harvest additional credentials, laterally pivot, and gain access to additional resources within an environment."

The identity of the threat actor behind these attacks remains undisclosed. Given the active exploitation of this vulnerability and the attractiveness of Citrix bugs to threat actors, it is imperative for users to act swiftly by updating their systems to the latest versions to mitigate potential threats.

This marks the second time in three months that Citrix NetScaler ADC and NetScaler Gateway have been targeted by cyberattacks.

In July, Citrix issued a warning to its customers regarding a critical vulnerability, identified as CVE-2023-3519, in NetScaler ADC and NetScaler Gateway.

This vulnerability had already been exploited by malicious actors.

Notably, it received a high severity score of 9.8 out of 10 and was related to a case of code injection, potentially leading to unauthenticated remote code execution.

In August, the US Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability in the Citrix ShareFile storage zones controller, indexed as CVE-2023-24489, in its Known Exploited Vulnerabilities (KEV) catalogue.

This flaw, carrying a significant CVSS score of 9.8, was actively exploited, according to the agency's findings.

The vulnerability allowed remote, unauthenticated attackers to compromise vulnerable Citrix ShareFile instances due to inadequate access controls when handling cryptographic operations.