October 23, 2023 at 02:22PM
Citrix warns admins to immediately secure NetScaler ADC and Gateway appliances against ongoing attacks exploiting the CVE-2023-4966 vulnerability. The vulnerability allows unauthenticated attackers to remotely exploit systems without user interaction. Mandiant reported that threat actors have been using this zero-day vulnerability to steal authentication sessions and hijack accounts since late August 2023. Compromised sessions can persist even after patching, allowing lateral movement across networks and compromising other accounts. The vulnerability has been exploited to infiltrate government entities and technology corporations.
Key takeaways from the meeting notes:
1. Citrix has issued a warning to administrators to immediately secure all NetScaler ADC and Gateway appliances against ongoing attacks exploiting the CVE-2023-4966 vulnerability.
2. The vulnerability, tracked as CVE-2023-4966, was patched by Citrix two weeks ago and is considered critical with a severity rating of 9.4/10. It can be remotely exploited by unauthenticated attackers in low-complexity attacks that do not require user interaction.
3. NetScaler appliances must be configured as a Gateway or an AAA virtual server in order to be vulnerable to the attacks.
4. While Citrix had no evidence of the vulnerability being exploited in the wild when the fix was released, Mandiant later disclosed ongoing exploitation by threat actors. These actors have been exploiting the vulnerability as a zero-day since late August 2023 to steal authentication sessions and hijack accounts.
5. Compromised sessions may persist even after patching, and depending on the compromised accounts’ permissions, attackers could move laterally across the network or compromise other accounts.
6. Mandiant has found instances where the CVE-2023-4966 vulnerability was exploited to infiltrate the infrastructure of government entities and technology corporations.
7. Citrix recommends immediately installing the recommended builds to address the vulnerability for affected NetScaler ADC and Gateway appliances.
8. In addition to applying the patches, Citrix also advises killing all active and persistent sessions using specific commands.
9. NetScaler ADC and Gateway devices that are not set up as gateways or AAA virtual servers are not vulnerable to the CVE-2023-4966 attacks.
10. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, requiring federal agencies to secure their systems against active exploitation by November 8.