Citrix has alerted administrators today to secure all NetScaler ADC and Gateway appliances against ongoing attacks that exploit the CVE-2023-4966 vulnerability. The company fixed this critical flaw, which allows sensitive information disclosure, two weeks ago. The vulnerability, rated 9.4/10 in severity, can be exploited remotely by unauthenticated attackers in low-complexity attacks, without the need for user interaction. To be vulnerable to attacks, NetScaler appliances need to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server.
At the time of patch release, Citrix had no evidence of the vulnerability being exploited in the wild. However, Mandiant disclosed ongoing exploitation a week later. The cybersecurity firm reported that threat actors had been exploiting CVE-2023-4966 as a zero-day since late August 2023 to hijack authentication sessions and accounts. This could enable attackers to bypass multifactor authentication or other strong auth requirements. Mandiant warned that compromised sessions persist even after patching and depending on the permissions of the compromised accounts, attackers could move laterally across the network or compromise other accounts.
Mandiant also discovered instances where CVE-2023-4966 was exploited to infiltrate the infrastructure of government entities and technology corporations. "We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability," Citrix warned. The company strongly recommends immediate installation of the recommended builds for those using affected builds and have configured NetScaler ADC as a gateway or as an AAA virtual server, labeling the vulnerability as critical. Citrix also stated that it is "unable to provide forensic analysis to determine if a system may have been compromised."
Citrix advises killing all active and persistent sessions using certain commands. NetScaler ADC and NetScaler Gateway devices, when not set up as gateways or as AAA virtual servers, are not vulnerable to CVE-2023-4966 attacks. This includes products like NetScaler Application Delivery Management (ADM) and Citrix SD-WAN, as confirmed by Citrix.
Last Thursday, CISA added CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, instructing federal agencies to secure their systems against active exploitation by November 8.