October 18, 2023 at 08:02AM
A critical vulnerability, known as CVE-2023-4966, in Citrix NetScaler ADC/Gateway devices has been actively exploited as a zero-day since late August. The issue allows attackers to access secrets in gateways configured as authentication, authorization, and accounting (AAA) virtual servers. Citrix has released a fix and urges customers to install the update immediately. Attackers have been observed exploiting the vulnerability to steal authentication sessions and hijack accounts. Even after installing the security update, hijacked sessions persist, allowing attackers to move laterally and breach more accounts.
Key takeaways from the meeting notes:
1. There is a critical vulnerability, tracked as CVE-2023-4966, in Citrix NetScaler ADC/Gateway devices that has been actively exploited since late August.
2. The vulnerability allows attackers to access secrets on AAA virtual servers configured as gateways of authentication, authorization, and accounting.
3. Citrix released a security update last week to fix the issue and strongly urges customers to install it without delay.
4. The cybersecurity company Mandiant reported that the vulnerability has been exploited in the wild since August for stealing authentication sessions and hijacking accounts.
5. Even after installing the update, hijacked sessions can persist, potentially allowing attackers to move laterally or breach more accounts.
6. Mandiant provided additional remediation recommendations, including restricting ingress IP addresses, terminating sessions post-upgrade, rotating credentials, and rebuilding appliances with clean-source images.
7. It is important to limit external attack exposure by restricting ingress to trusted IPs.
8. Upgrading the appliances to specific firmware versions should be prioritized.
9. This is the second zero-day flaw that Citrix has fixed in its products this year, with the previous CVE-2023-3519 being exploited in early July.