december 2023

'Citrix Bleed' Zero-day exploited in the wild as proof of concepts circulate

Weeks after threat actors launched a wave of attacks exploiting an earlier Citrix (CVE-2023-3519), Cyberixgill observed a proof-of-concept appearing for the new “Citrix Bleed” vulnerability (CVE-2023-4966). Threat actors can leverage the vulnerability to retrieve authentication session cookies from Citrix NetScaler ADC and NetScaler Gateway appliances. The vulnerability , which has been used in attacks and Cybersixgill detected an exploit for the vulnerability on a popular Russian cybercrime forum.

 

THE HEADLINE

Another critical security flaw (CVE-2023-4966) in Citrix’s NetScaler[1] Application Delivery Controller (ADC) and Gateway[2] products recently came to light, with proofs-of-concept (PoCs) circulating on the dark web. Concurrently, threat actors continue to exploit a previously discovered vulnerability (CVE-2023-3519) in Citrix NetScaler devices, using it to inject credentials-harvesting JavaScript[3] code via malicious sites.

The newer vulnerability (CVE-2023-4966) was dubbed “Citrix Bleed” because it causes the leak of authentication session cookies[4] and allows attackers to retrieve session tokens[5] from vulnerable NetScaler ADC and Gateway appliances. Attackers seek session cookies because they can be used to take control of compromised accounts and gain access to appliances.

Cybersixgill’s CVEs Scoring Mechanisms assigned CVE-2023-4966 a critical score (9.99) at the end of November 2023, with the Common Vulnerability Scoring System (CVSS) reaching 7.5. While Citrix fixed CVE-2023-4966 on October 10, 2023, researchers reported a week later that attackers had leveraged the flaw in the wild as a zero-day since August 2023. In October, a threat monitoring service reported a surge in exploitation attempts following the publication of a researcher’s PoC.

On October 23, 2023, a Citrix alert warned administrators to patch CVE-2023-4966 immediately because of an increase in exploitation attempts. Researchers who tried to exploit vulnerable NetScaler endpoints discovered that payloads could be delivered via an CVE-2023-4966 exploit without administrator rights, making it significantly easier to leverage the vulnerability in attacks. With CVE-2023-4966 PoCs currently circulating, threat actors will likely increasingly target Citrix Netscaler for initial access, the prelude to more damaging and costly ransomware and data theft attacks.

 

DIVING DEEPER

The Cybersixgill Investigative Portal collected multiple repositories containing PoCs for CVE-2023-4966, one of which was posted by a French-speaking “ethical hacker and cybersecurity enthusiast.” The individual noted that the session cookies derived from Citrix Bleed always end with the hex sequence 45525d5f4f58455e445a4a42, adding that incorporating that information could enhance the accuracy of session token detection. While this tip could certainly assist security researchers in finding vulnerable instances, it could also be exploited by threat actors in attacks in the wild.

 CITRIX SCREENSHOT 1Figure 1: PoC for CVE-2023-4966 posted on a popular online platform

 

In addition to the PoC, Cybersixgill also observed a threat actor posting an exploit for CVE-2023-4966 on a popular Russian cybercrime forum. The exploit was provided by a forum member just days after PoCs first appeared, showing the speed with which threat actors seize on new vulnerabilities, spreading them on cybercrime sources. This post also underscores the need to patch CVE-2023-4966, as exploits for the vulnerability continue to spread.

 CITRIX SCREENSHOT 2Figure 2: An exploit for the Citrix Bleed vulnerability on a popular cybercrime forum

 

TAKEAWAYS

The severity of CVE-2023-4966 and attempts to exploit it in the wild mean that chatter on the underground may increase, as threat actors historically have tried to monetize similar vulnerabilities in various ways. Indeed, it is highly anticipated that cybercriminals will continue to try to exploit CVE-2023-4966.

Therefore, all organizations must prepare for such scenarios and bolster their systems’ security by implementing the following best practices:

·         Create data copies and backups on external servers that are isolated from the business network to reduce the impact of possible ransomware attacks.

·         Run the most updated and safest versions of all computing elements, and immediately patch all vulnerable products as soon as a vulnerability is disclosed.

·         Use vulnerability research teams to proactively detect potential vulnerabilities residing on corporate networks that could be exploited by ransomware gangs and immediately mitigate risks.

·         Instruct employees not to click on links or attachments from suspicious emails and implement regular security training to raise awareness so that social engineering attacks can be thwarted.

 



[1] Citrix Workspace is a cloud-based, no-VPN product for accessing intranet web, SaaS, mobile, and virtual applications over various types of networks.

[2] NetScaler Application Delivery Controller (ADC) is a networking appliance to improve applications’ performance, security, and resiliency. NetScaler Gateway is a component of ADC that consolidates remote access infrastructure.

[3] JavaScript is an object-oriented programming language for web development to add interactivity and dynamic functionality, which is supported by virtually all web browsers. Malicious JavaScript code can capture user input, including login credentials, and send them to an attacker.

[4] Servers generate session tokens, which are unique identifiers to identify and authenticate users during sessions and are typically stored in the users’ browsers as cookies. Session tokens maintain user authentication without requiring continual logins.

[5] Session cookies store session tokens or other session-related information. They are stored in the browser’s temporary memory and deleted when browsers are closed.

You may also like

France health sector image

February 10, 2024

33 Million People: Data of almost half of France's population stolen in health sector breach

Read more
Ivanti vulnerabilities image

February 10, 2024

Exploitation of New Ivanti Security Flaws Increases as Proof-of-Concepts Emerge Online

Read more
Oregon college article image

February 10, 2024

Oregon Community College Halts Classes Due to 'LockBit' Ransomware Attack

Read more