Headline
As Citrix Urges Its Clients to Patch, Researchers Release an Exploit
In the race over Citrix’s latest vulnerability, the bad guys have a huge head start, with broad implications for businesses and critical infrastructure providers worldwide.
A critical security update is now available for the latest high-profile Citrix NetScaler vulnerability. But so is an exploit. And in some cases, the latter may be simpler to use than the former.
It’s been a busy week so far for Citrix customers. On Sept. 23, following reports of active exploitation in the wild, the company released an urgent update for CVE-2023-4966, a sensitive information disclosure vulnerability in its NetScaler application delivery controller (ADC) and Gateway products. The vulnerability was assigned a “High” 7.5 out of 10 CVSS rating by NIST, but a “Critical” 9.4 by Citrix itself.
Then on Sept. 24, researchers from Assetnote published a proof-of-concept (PoC) exploit to GitHub. The widely available exploit is, relative to the severe consequences it can wreak, remarkably simple.
“It’s a remote access solution in the vast majority of places and, as a result, it’s exposed to the Internet most of the time,” explains Andy Hornegold, VP of product at Intruder. “The risk is somebody will be able to exploit this vulnerability, read session tokens, connect to your device as one of your standard users, and then access your environment with those privileges.”
The New Citrix Exploit
Researchers from Assetnote discovered two related functions at the heart of CVE-2023-4966 — ns_aaa_oauth_send_openid_config and ns_aaa_oauthrp_send_openid_config — both responsible for implementing the OpenID Connect (OIDC) Discovery endpoint. OIDC is an open protocol used for authentication and authorization.
On an unpatched NetScaler device, an attacker could easily overload the buffer by sending a request exceeding 24,812 bytes. With a request hardly three lines long, the researchers discovered they could cause the device to leak memory.
“It feels like hacking back in 1999,” Hornegold says, only half-jokingly. “Back in the day it was, like, the default way of trying to carry out these kinds of attacks — to just stuff a whole load of 'a’s into a packet and see what comes back.”
In this case, he explains, “I can send one request with a whole bunch of 'a’s in one go, and then in the body of the response, it starts to expose session tokens for people who are logged in to that NetScaler device, which I can reuse to log in as those users.” By hijacking an authenticated session, a malicious actor could potentially bypass any checks, including multifactor authentication (MFA).
Why Patching Isn’t Enough
According to Citrix, its software is used by more than 400,000 organizations across the globe, including 98% of Fortune 500 companies. According to Enlyft, NetScaler in particular is used by nearly 84,000 companies, including brand names like eBay and Fujitsu.
NetScaler isn’t just popular. As Intruder noted in a Sept. 25 blog post, it’s popular most notably within critical industries, which often prefer to run infrastructure on-premises rather than in the cloud.
So while Citrix advised customers on Sept. 23 to patch as soon as possible, doing so won’t be equally easy for everyone. For organizations that require 24/7 uptime, “It’s a bit of a balancing act,” Hornegold says, “because you obviously need to keep that service live for as long as possible, especially when you’re talking about critical national infrastructure. Any downtime needs to be taken as part of a risk consideration.”
Regular businesses won’t be able to just patch and forget about it, either. As Mandiant pointed out last week, hijacked sessions could persist even through patches, so organizations have to take the extra step of terminating all active sessions.
And even that may not be enough. Mandiant observed threat actors exploiting CVE-2023-4966 as early as August, leaving a healthy window of time for further post-exploitation persistence and downstream access.
“There’s a whole two months of opportunity there,” Hornegold points out. “So if the question is ‘what is the worst that could happen if you don’t patch this?’ —realistically, the worst may well have happened already.”
Related news
By Deeba Ahmed Mikhail Vasiliev, a Russian-Canadian citizen faces four years in a Canadian prison and is likely to be extradited to the US after completing his sentence. This is a post from HackRead.com Read the original post: LockBit Affiliate Sentenced to 4 Years in Canada, Faces Extradition
Talos IR observed operations involving Play, Cactus, BlackSuit and NoEscape ransomware for the first time this quarter.
Citrix is warning of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild. The flaws are listed below - CVE-2023-6548 (CVSS score: 5.5) - Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management
By Deeba Ahmed The latest Xfinity data breach is linked to the critical Citrix Bleed vulnerability. This is a post from HackRead.com Read the original post: Xfinity Rocked with Data Breach Impacting 36 Million Users
In November, ransomware gangs attacked at least 457 victims—the highest monthly count in 2023, after May's record numbers.
Multiple threat actors, including LockBit ransomware affiliates, are actively exploiting a recently disclosed critical security flaw in Citrix NetScaler application delivery control (ADC) and Gateway appliances to obtain initial access to target environments. The joint advisory comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI),
By Deeba Ahmed Earlier, Boeing acknowledged a cyberattack amidst claims by the Lockbit ransomware gang of breaching its security and stealing data. This is a post from HackRead.com Read the original post: Lockbit Ransomware Leaks Boeing Data Trove
By Deeba Ahmed Reportedly, it was a ransomware attack orchestrated by the notorious LockBit gang. This is a post from HackRead.com Read the original post: World’s Largest Bank ICBC Discloses Crippling Ransomware Attack
Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]
The Arid Viper threat actor is actively trying to install spyware on targeted devices in the Middle East, using fake dating apps as lures.
By Waqas Mandiant Investigates Zero-Day Exploitation in Citrix Vulnerability, CVE-2023-4966. This is a post from HackRead.com Read the original post: Mandiant Tracks Four Uncategorized Groups Exploiting Citrix Vulnerability
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.
Denial of Service in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA Virtual Server
Virtualization services provider VMware has alerted customers to the existence of a proof-of-concept (PoC) exploit for a recently patched security flaw in Aria Operations for Logs. Tracked as CVE-2023-34051 (CVSS score: 8.1), the high-severity vulnerability relates to a case of authentication bypass that could lead to remote code execution. "An unauthenticated, malicious actor can inject files
The latest threat to Citrix NetScaler, CVE-2023-4966, was exploited as a zero-day bug for months before a patch was issued. Researchers expect exploitation efforts to surge.
Citrix is warning of exploitation of a recently disclosed critical security flaw in NetScaler ADC and Gateway appliances that could result in exposure of sensitive information. Tracked as CVE-2023-4966 (CVSS score: 9.4), the vulnerability impacts the following supported versions - NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50 NetScaler ADC and NetScaler Gateway 13.1 before
Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA ?virtual?server.