Exploitation of Citrix NetScaler vulns reaching dangerous levels

/in


Time may be running short for users of Citrix’s NetScaler Application Delivery Controller (ADC) and NetScaler Gateway products who have not yet patched against two recently disclosed vulnerabilities to do so, after cyber researchers started to see elevated levels of activity targeting them.

Disclosed on 10 October, and possibly exploited as long ago as August, the two flaws are tracked as CVE-2023-4966 and CVE-2023-4967. The first of these is a sensitive information disclosure vulnerability carrying a Common Vulnerability Scoring System (CVSS) score of 9.4, and the second is a denial-of-service vulnerability carrying a CVSS score of 8.2.

The growing volume of threat actor activity is targeting the first of these vulnerabilities, according to Citrix. In a statement, the company said: “We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability.”

Citrix said it strongly recommended users of the affected products to immediately install the updated, recommended builds, as well as killing all active and persistent sessions as a precaution. More details of how to do so are available from Citrix. Note that there are no further workarounds available.

Exploitation of CVE-2023-4966 may escalate still further after the publication of a public proof of concept (PoC) by researchers at AssetNote on 25 October. In his write-up, AssetNote’s Dylan Pindur revealed how he was able to exploit the vulnerability in order to obtain a valid session token.

“Like previous issues with Citrix NetScaler, the issue was made worse by a lack of other defence-in-depth techniques and mitigations,” wrote Pindur. “Not clearing sensitive data from what appear to be temporary buffers and stricter validation on client-provided data being the two most obvious mitigations which could have been applied to minimise the damage.”

Since this, multiple sources have stated that scanning activity has increased. In a statement posted to X, the website formerly known as Twitter, internet security specialist ShadowServer said its honeypot sensors had seen a “sharp increase in queries” related to CVE-2023-4966.

Source…