This flaw is described as a sensitive information disclosure vulnerability that allows remote unauthenticated attackers to extract large amounts of data from a vulnerable Citrix device's memory, including sensitive session tokens. This is why it's been dubbed "Citrix Bleed".
The vulnerability lies in a buffer overflow that allows for sensitive information disclosure when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not impacted.
The exploitation of this vulnerability could allow for the disclosure of sensitive information, including session authentication token information that may allow a threat actor to "hijack" a user's session. The bug requires little effort or complexity to exploit, allowing hackers to hijack and use legitimate session tokens to compromise a victim's network without needing a password or using two-factor.
On October 10, 2023, Citrix disclosed the vulnerability affecting on-premise versions of its NetScaler ADC and NetScaler Gateway platforms. Citrix released security updates to address CVE-2023-4966 in NetScaler ADC and NetScaler Gateway. However, a week later, on October 17, Citrix updated its advisory to advise that it had observed exploitation in the wild.
The vulnerability has been exploited in a wave of mass cyberattacks, with hackers targeting big-name organizations worldwide. More than 60 credit unions' operations in the US were disrupted due to unpatched Netscaler servers, and federal regulators and the American Hospital Association have issued urgent warnings to hospitals and others.
To mitigate the threat, organizations are urged to adopt the patch released in October and remove any threat actors that may already be exploiting unpatched instances of the software. It's important to update unmitigated appliances to the updated versions listed by Citrix.
References
(1) Citrix Bleed Vulnerability: Background and Recommendations. https://www.reliaquest.com/blog/citrix-bleed-vulnerability-background-and-recommendations/
(2) Hackers are exploiting 'CitrixBleed' bug in the latest wave of mass .... https://techcrunch.com/2023/11/14/citrix-bleed-critical-bug-ransomware-mass-cyberattacks/
(3) Guidance for Addressing Citrix NetScaler ADC and Gateway ... - CISA. https://www.cisa.gov/guidance-addressing-citrix-netscaler-adc-and-gateway-vulnerability-cve-2023-4966-citrix-bleed
(4) New Citrix Bleed ransomware threat hits many credit unions. https://siliconangle.com/2023/12/04/new-citrix-bleed-ransomware-threat-hits-many-credit-unions/
(5) Feds, AHA Urge Hospitals to Mitigate Citrix Bleed Threats. https://www.inforisktoday.com/feds-aha-urge-hospitals-to-mitigate-citrix-bleed-threats-a-23780
(6) What Is Citrix Bleed? The Next Ransomware Patch You Need. https://www.govtech.com/security/what-is-citrix-bleed-the-next-ransomware-patch-you-need
If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:
By email:
secretary@iisf.ie
By post:
David Cahill
Information Security
GPO, 1-117
D01 F5P2
Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland
Invitations for Annual Sponsorship of IISF has now reopened.
Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more