Alert essentials:
Depending on the NetScaler configuration, attackers may bypass MFA requirements and take over an existing authenticated session. Upgrade immediately to a patched version of NetScaler.
Detailed threat description:
An information disclosure in Citrix Netscaler ADC and NetScaler Gateway is being actively exploited. If the device is configured as a gateway, VPN Virtual Server, ICA, Proxy, CVPN, RDP proxy, or AAA virtual server, then this vulnerability impacts the device.
Fixed last week, the vulnerability allows bad actors to hijack active sessions and bypass multifactor authentication. Based on the permissions of the overtaken account, a hacker could gain additional credentials and move laterally around the network, accessing additional resources.
The threat actor behind this exploit is unspecified, but it is thought that numerous cybercriminals are using this exploit to plant backdoors and steal credentials. Therefore, organizations are urged to terminate all active sessions and patch immediately.
Impacts on healthcare organizations
Disclosure of information vulnerabilities can allow sensitive patient or organization information to be leaked, which can also be a starting point for exposing additional information about the attack surface and network. With the right skill set, a bad actor can use the additional information to construct more exploits that could cause network instability and limit the use of life-saving technology.
Affected Products / Versions
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC and NetScaler Gateway 12.1 (currently end-of-life)
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
CVE
- CVE-2023-4966
Recommendations
Engineering recommendations:
- Upgrade appliances to the newest version
- Post upgrading, terminate all active and persistent sessions (per appliance)
- Restrict ingress IP addresses if unable to patch immediately
- Change credentials on any impacted devices
- If an appliance restoration is required using a backup image, the image configuration should be reviewed to ensure that there is no evidence of backdoors
- If web application firewalls or other platforms that capture URL requests are deployed in front of NetScaler device(s), review available logs for an abnormal amount of web requests originating from suspicious IP addresses
Leadership / Program recommendations:
-
NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL). Citrix urges its customers to upgrade their appliances to one of the supported versions that address the vulnerabilities
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin- for-cve20234966-and-cve20234967
- https://docs.netscaler.com/en-us/citrix-adc/current-release/load-balancing/load-balancing- persistence/clearing-persistence.html
- https://developer-docs.netscaler.com/en-us/adc-command-reference-int/current-release/vpn/vpn- icaConnection.html#example
- https://www.tenable.com/blog/cve-2023-4966-citrix-netscaler-adc-and-netscaler-gateway- information-disclosure-exploited-in