Citrix warned admins today to secure all NetScaler ADC and Gateway appliances immediately against ongoing attacks exploiting the CVE-2023-4966 vulnerability.
The company patched this critical sensitive information disclosure flaw (tracked as CVE-2023-4966) two weeks ago, assigning it a 9.4/10 severity rating as it’s remotely exploitable by unauthenticated attackers in low-complexity attacks that don’t require user interaction.
NetScaler appliances must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server to be vulnerable to attacks.
While the company had no evidence the vulnerability was being exploited in the wild when the fix was released, ongoing exploitation was disclosed by Mandiant one week later.
The cybersecurity company said threat actors had been exploiting CVE-2023-4966 as a zero-day since late August 2023 to steal authentication sessions and hijack accounts, which could help the attackers bypass multifactor authentication or other strong auth requirements.
Mandiant cautioned that compromised sessions persist even after patching and, depending on the compromised accounts’ permissions, attackers could move laterally across the network or compromise other accounts.
Additionally, Mandiant found instances where CVE-2023-4966 was exploited to infiltrate the infrastructure of government entities and technology corporations.
Admins urged to secure systems against ongoing attacks
“We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability,” Citrix warned today.
“If you are using affected builds and have configured NetScaler ADC as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or as an AAA virtual server, we strongly recommend that you immediately install the recommended builds because this vulnerability has been identified as critical.”
Citrix added that it’s “unable to provide forensic analysis to determine if a system may have been compromised.”
Also, Citrix recommends killing all active and persistent sessions using the following commands:
kill icaconnection -all kill rdp connection -all kill pcoipConnection -all kill aaa session -all clear lb persistentSessions
NetScaler ADC and NetScaler Gateway devices, when not set up as gateways (including VPN virtual server, ICA proxy, CVPN, or RDP proxy) or as AAA virtual servers (typical load balancing configurations, for instance), are not vulnerable to CVE-2023-4966 attacks.
This also includes products like NetScaler Application Delivery Management (ADM) and Citrix SD-WAN, as Citrix confirmed.
Last Thursday, CISA added CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, ordering federal agencies to secure their systems against active exploitation by November 8.