Citrix issued a stern advisory to administrators, urging them to promptly secure all NetScaler ADC and Gateway appliances due to ongoing attacks exploiting the critical CVE-2023-4966 vulnerability.
Just two weeks ago, the company addressed this severe information disclosure flaw, identified as CVE-2023-4966, with a high severity rating of 9.4/10. This is because it can be exploited remotely by unauthenticated attackers through relatively simple methods that do not necessitate user interaction.
It's important to note that NetScaler appliances must be configured as either a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server to be susceptible to these attacks.
Admins urged to secure systems
At the time the fix was initially released, the company had no evidence of the vulnerability being actively exploited in the wild. However, just one week later, it was disclosed that ongoing exploitation of CVE-2023-4966 was happening.
Threat actors had been taking advantage of this zero-day vulnerability since late August 2023. They used it to pilfer authentication sessions and seize control of accounts, potentially enabling them to circumvent multifactor authentication and other robust authentication requirements.
Users were also cautioned that even after applying patches, compromised sessions could endure, permitting attackers, depending on the permissions of compromised accounts, to laterally traverse the network or compromise other accounts. Furthermore, instances were discovered where CVE-2023-4966 was leveraged for infiltrating the infrastructure of government entities and technology corporations.
In response to these developments, Citrix issued a strong warning to administrators, stating, "We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability." They urged immediate action for those using affected builds and having NetScaler ADC configured as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy), or as an AAA virtual server, considering this vulnerability as critical.
Citrix also acknowledged its inability to provide forensic analysis to determine potential compromises. Additionally, they recommended terminating all active and persistent sessions using the provided commands:
kill icaconnection -all
kill rdp connection -all
kill pcoipConnection -all
kill aaa session -all
clear lb persistentSessions
NetScaler ADC and NetScaler Gateway devices, when configured outside the scope of gateways (e.g., not serving as VPN virtual servers, ICA proxies, CVPNs, or RDP proxies) or AAA virtual servers (typical load balancing setups), are immune to CVE-2023-4966 attacks. This safeguard extends to products like NetScaler Application Delivery Management (ADM) and Citrix SD-WAN, as confirmed by Citrix.
