Exploitation of Citrix NetScaler vulns reaching dangerous levels

Time may be running short for users of Citrix’s NetScaler Application Delivery Controller (ADC) and NetScaler Gateway products who have not yet patched against two recently disclosed vulnerabilities to do so, after cyber researchers started to see elevated levels of activity targeting them.

Disclosed on 10 October, and possibly exploited as long ago as August, the two flaws are tracked as CVE-2023-4966 and CVE-2023-4967. The first of these is a sensitive information disclosure vulnerability carrying a Common Vulnerability Scoring System (CVSS) score of 9.4, and the second is a denial-of-service vulnerability carrying a CVSS score of 8.2.

The growing volume of threat actor activity is targeting the first of these vulnerabilities, according to Citrix. In a statement, the company said: “We now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability.”

Citrix said it strongly recommended users of the affected products to immediately install the updated, recommended builds, as well as killing all active and persistent sessions as a precaution. More details of how to do so are available from Citrix. Note that there are no further workarounds available.

Exploitation of CVE-2023-4966 may escalate still further after the publication of a public proof of concept (PoC) by researchers at AssetNote on 25 October. In his write-up, AssetNote’s Dylan Pindur revealed how he was able to exploit the vulnerability in order to obtain a valid session token.

“Like previous issues with Citrix NetScaler, the issue was made worse by a lack of other defence-in-depth techniques and mitigations,” wrote Pindur. “Not clearing sensitive data from what appear to be temporary buffers and stricter validation on client-provided data being the two most obvious mitigations which could have been applied to minimise the damage.”

Since this, multiple sources have stated that scanning activity has increased. In a statement posted to X, the website formerly known as Twitter, internet security specialist ShadowServer said its honeypot sensors had seen a “sharp increase in queries” related to CVE-2023-4966.

As of 23 October, ShadowServer said it had observed around 9,000 vulnerable NetScaler instances worldwide – about 4,100 in the US, 850 in Germany and 480 in the UK.

Rapid7 also confirmed it was seeing more activity. In a statement, it said: “Rapid7 MDR is investigating potential exploitation of this vulnerability in a customer environment but is not yet able to confirm with high confidence that CVE-2023-4966 was the initial access vector.

“Rapid7 recommends taking emergency action to mitigate CVE-2023-4966. Threat actors, including ransomware groups, have historically shown strong interest in Citrix NetScaler ADC vulnerabilities. We expect exploitation to increase.”