November 2, 2023: A critical severity flaw, known as ‘Citrix Bleed’ (CVE-2023-4966) that impacts Citrix Netscaler ADC and NetScaler Gateway, was recently disclosed. The flaw could potentially allow hackers to gain access to sensitive information from the devices. The vulnerability has been given a CVSS score of 9.4/10.
Citrix released patches for the flaw on October 10 and alerted that threat actors are actively exploiting the vulnerability in the wild, performing session hijacking, allowing them to completely bypass authentication, including multi-factor authentication protections.
Once exploited, attackers can gain memory access to NetScaler ADC and Gateway devices, giving them the ability to extract session cookies and attempt to bypass authentication.
Attackers can steal the token or recently connected users and gain access to whatever resources the user has permissions to within Citrix. Threat actors can harvest credentials and then move laterally through the network via RDP and potentially conduct reconnaissance in the victim’s environment.
There is the potential that even patched instances are at risk of exploitation, as the session tokens do persist in memory.
Despite the potential for patched devices to still be impacted, it is still recommended that admins apply the patches for the flaw as soon as possible.
Citrix has also warned admins to secure systems against low-complexity attacks that don’t require any user interactions.
If customers are using any the affected builds listed in Citrix’s security bulletin, updates should be installed immediately in the recommended builds. In addition, Citrix also strongly advises killing all active and persistent sessions with commands that can be found in the above bulletin.
In instances where multi-factor authentication can be bypassed and issues persist with patched systems, visibility into the traffic traversing your network is critical to find and isolate intrusions, and prevent further access and damages.
SecuLore™ OverWatch provides continuous network monitoring through our patented Paladin technology to detect vulnerabilities in your network and detect anomalous behavior. The technology passively captures all traffic on your network to identify threats that are often missed by other layers of security. The packet captures are sent to our Security Operations Center to be processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
Contact SecuLore for more information to get started with a monitoring option to detect malicious traffic attempting to exploit vulnerabilities on your network security. The packet captures are sent to our Security Operations Center to be processed via a unique behavioral analysis that is constantly reviewed by our team of CEH (Certified Ethical Hackers).
SecuLore Support Team