October 25, 2023 at 11:30AM
A proof-of-concept exploit has been released for the ‘Citrix Bleed’ vulnerability (CVE-2023-4966) allowing attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances. The vulnerability was previously abused as a zero-day in limited attacks and Citrix has urged administrators to patch the flaw immediately. The release of the exploit is expected to increase targeting of Citrix Netscaler devices for malicious activities. System administrators are advised to deploy patches promptly.
Key Takeaways:
– A proof-of-concept (PoC) exploit has been released for the ‘Citrix Bleed’ vulnerability (CVE-2023-4966) that affects Citrix NetScaler ADC and NetScaler Gateway appliances.
– The vulnerability allows attackers to retrieve authentication session cookies from vulnerable devices.
– Citrix fixed the vulnerability on October 10 but did not provide detailed information about it.
– Mandiant revealed that the flaw was exploited as a zero-day in limited attacks since late August.
– Citrix issued a warning on Monday urging administrators to patch the flaw immediately as exploitation rates increase.
– Researchers at Assetnote published a PoC exploit for CVE-2023-4966 on GitHub to demonstrate the vulnerability and assist with testing for exposure.
– The exploit targets an unauthenticated buffer-related vulnerability in Citrix NetScaler ADC and Gateway devices.
– By analyzing the vulnerable and patched versions of NetScaler, researchers identified two functions with additional bounds checks that generate a response.
– The vulnerability arises from a buffer over-read when the snprintf function returns a specific value.
– Assetnote’s analysts found that exploiting the vulnerability allows the retrieval of session cookies, enabling attackers to hijack accounts.
– As a response to the PoC release, threat monitoring service Shadowserver reports an increase in exploitation attempts, indicating that malicious activity has already started.
– System administrators are strongly advised to deploy patches immediately to address the vulnerability, as these types of vulnerabilities are commonly exploited for ransomware and data theft attacks.