A critical vulnerability tracked as CVE-2023-4966 in Citrix NetScaler ADC/Gateway devices has been actively exploited as a zero-day since late August, security researchers announced.
The security issue is an information disclosure and received a fix last week. It allows attackers to access secrets in appliances configured as gateways of authentication, authorization, and accounting (AAA) virtual servers.
In a security bulletin on October 10 with few technical details, Citrix strongly urged customers to install the available update without delay.
A report from Mandiant disclosed that it found signs of CVE-2023-4966 being exploited in the wild since August for stealing authentication sessions and hijacking accounts.
“Mandiant has identified zero-day exploitation of this vulnerability in the wild beginning in late August 2023,” says the cybersecurity company.
“Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing multifactor authentication or other strong authentication requirements” – Mandiant
The company also warns that hijacked sessions persist even after installing the security update. Depending on the permissions of the hijacked account, the attackers may leverage the method to move laterally or to breach more accounts.
Security researchers observed CVE-2023-4966 being exploited for access on infrastructure belonging to government organizations and technology companies.
Fixing and mitigation
Apart from applying the patch from Citrix, Mandiant published a document with additional remediation recommendations for NetScaler ADC/Gateway administrators with the following suggestions:
- Restrict ingress IP addresses if immediate patching isn’t feasible.
- Terminate all sessions post-upgrade and run the CLI command: clear lb persistentSessions
. - Rotate credentials for identities accessing vulnerable appliances.
- If suspicious activity is detected, especially with single-factor authentication, rotate a broader scope of credentials.
- For detected web shells or backdoors, rebuild appliances with the latest clean-source image.
- If restoring from backup, ensure no backdoors are in the backup configuration.
- Limit external attack exposure by restricting ingress to trusted IPs.
Also, upgrading the appliances to the following firmware versions should be prioritized:
- NetScaler ADC and NetScaler Gateway 14.1-8.50 and later
- NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
- NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NdcPP
This is the second zero-day flaw Citrix fixes in its products this year. A previous one, identified as CVE-2023-3519, was exploited in the wild in early July and received a fix a few of weeks later.
