Citrix NetScaler from within has a critical security vulnerability, which had been patched last week but has been active since late August 2023. Referred to as CVE-2023-4966, with a CVSS (Common Vulnerability Scoring System) score of 9.4.May not be able to be remediated by simply applying a patch, Mandiant had warned. (a frontline cyber defense company)
With that warning, Mandiant has recommended through the CTO Charles Carmakal, to organizations for the termination of all active sessions. These authenticated sessions will persist after the update to mitigate CVE-2023-4966 (Common Vulnerabilities/Exposures by MITRE Corp.) has been deployed. Therefore, despite the patch being applied the stolen session data may still be used to authenticate resources until these sessions have been terminated.
This vulnerability is technically an info-disclosure, this flaw allows threat actors to hijack existing authenticated sessions, and potentially bypass the MFA(multi-factor authentication). The result of this is full control over NetScaler environments, which control/manage application delivery within enterprise network infrastructure’s.
The origin of the exploit being from late August, carried out from an unknown threat actor. (Alleged FIN8 unconfirmed) Mandiant CTO Carmakal mentioned that the ongoing exploitation appears to focus on cyberespionage, with professional services, technology, and government organizations. So far this is the unknown threat actors iron-sights. This same exploitation may well fuel other threat actors with financial motivations to use the exploit as well.
This exploitation as per “ShadowServer Foundation” has backdoored in more than 1300 NetScaler Instances which had still been appearing in scans since early October.
This being a likely prediction given that many organizations have poor track records when it comes to the mitigation of known threats against Citrix gear. For a quick instance earlier in the month it had come to light that legions of threat actors are still targeting the CVE-2023-3519, which is a pre-authentication remote code-execution (RCE) vulnerability via Citrix NetScaler gateways that had been addressed in July.
The vulnerability impacts the following NetScaler ADC and Gateway appliances:
- NetScaler ADC and NetScaler Gateway?14.1?before?14.1-8.50
- NetScaler ADC and NetScaler Gateway?13.1?before?13.1-49.15
- NetScaler ADC and NetScaler Gateway?13.0?before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300