Citrix has urgently called on administrators to safeguard NetScaler ADC and Gateway devices from active attacks that exploit the CVE-2023-4966 vulnerability.
This significant information disclosure flaw, labeled as CVE-2023-4966, was patched by the company two weeks prior and was deemed highly severe (9.4/10). The flaw can be remotely triggered by anonymous attackers through simple methods, without any user engagement.
The vulnerability affects NetScaler devices when set up as a Gateway (e.g., VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server. Although there were no indications of active exploitation upon the patch’s release, cybersecurity firm Mandiant disclosed ongoing attacks a week later.
Mandiant revealed that since late August 2023, bad actors have leveraged this zero-day vulnerability, allowing them to snatch authentication sessions and take over accounts. Such actions could potentially let attackers circumvent multifactor authentication systems. Mandiant also emphasized that even after applying patches, compromised sessions could remain active, potentially granting attackers more access depending on account permissions. In some instances, the vulnerability was exploited to breach government and tech sector systems.
Citrix stated, “Following reports of session hijacking and reliable accounts of targeted attacks due to this vulnerability, we stress the immediate application of recommended builds for affected setups.”
The company also noted its inability to analyze and confirm system compromises. Citrix advises terminating all active sessions using specific commands:
- kill icaconnection -all
- kill rdp connection -all
- kill pcoipConnection -all
- kill aaa session -all
- clear lb persistentSessions
Devices not configured as gateways or AAA virtual servers are immune to these attacks, which includes products like NetScaler Application Delivery Management (ADM) and Citrix SD-WAN.
Lastly, the CISA has added CVE-2023-4966 to its list of Known Exploited Vulnerabilities, instructing federal bodies to reinforce their defenses by November 8.