October 24, 2023 at 05:04PM
Citrix has issued an urgent fix for a critical information disclosure bug, CVE-2023-4966, affecting NetScaler ADC and NetScaler Gateway, revealing that the exploit has been actively used. GitHub now hosts a proof-of-concept exploit named Citrix Bleed. Organizations using affected builds should assume they have been compromised, apply the update, and terminate all active sessions, as per Citrix’s recommendation. Mandiant, last week, warned that cyberspies have been exploiting the vulnerability since late August to hijack authentication sessions and steal corporate information. The specific targets and number of compromised organizations remain undisclosed. The US Cybersecurity and Infrastructure Security Agency has classified the bug as “unknown” and added it to its Known Exploited and Vulnerabilities Catalog.
Key Takeaways from the Meeting Notes:
1. Citrix urges administrators to immediately apply a fix for CVE-2023-4966, a critical information disclosure bug affecting NetScaler ADC and NetScaler Gateway. The company acknowledges that this vulnerability has been exploited.
2. A proof-of-concept exploit called Citrix Bleed is now available on GitHub. If you are using an affected build, assume that you have been compromised, apply the update, and kill all active sessions as advised by Citrix.
3. Citrix initially issued a patch for compromised devices on October 10. Last week, Mandiant warned about criminals exploiting this vulnerability since at least late August to hijack authentication sessions and steal corporate information.
4. Citrix recommends immediately installing the recommended builds if using affected builds and if NetScaler ADC is configured as a gateway or an AAA virtual server.
5. Citrix reports incidents consistent with session hijacking and confirms targeted attacks exploiting this vulnerability. However, no further details about the attacks have been released.
6. The exact number of compromised organizations and the specific target of the attacks is unknown.
7. Mandiant Consulting CTO advises terminating all active sessions after applying the patch.
8. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, indicating the urgency to fix this vulnerability.
9. While current attacks seem related to snooping campaigns, there is a possibility of other threat actors with financial motives exploiting this vulnerability in the future.