CitrixBleed - Deep Dive

 
 

REsources

CVE-2023-4966 - Citrix Security Bulletin - CISA Guidance - Risky Business News Writeup - Assetnote Security Research - Mandiant Blog

What is citrix bleed?

Scope

This is a vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances. Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not impacted by this vulnerability. These appliances often sit externally at the edge of an organization as a firewall. Which means they’re available for anyone to poke at. It was released on October 10, 2023.

Here are the vulnerable versions from Citrix Security Bulletin:

NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15

  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19

  • NetScaler ADC 13.1-FIPS before 13.1-37.164

  • NetScaler ADC 12.1-FIPS before 12.1-55.300

  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable.

Customers are recommended to update to the latest version of this appliance.

Impact

What makes this vulnerability more severe is that it can disclose sensitive information including user session information. Essentially an attacker can exploit the vulnerability to get into the environment with a valid user session. This makes it harder to detect when a threat actor get’s into the environment. For those that had to deal with HeartBleed this is a similar vulnerability. A buffer overflow attack is used against Citrix OpenID. It crashes and leaks part of what is in the device’s memory. The memory can contain sensitive information like session tokens. This allows attackers to then use those tokens to bypass authentication controls and get into the environment.

Fallout

Assetnote has a technical writeup on the attack with exploit code and video demonstration. Mandiant released a blog post indicating that the vulnerability had been exploited since late August 2023. This means customers should go back to August and look for any sort of activity tied to this vulnerability. IOCs were provided by CISA in a Security Advisory. That advisory also noted that LockBit 3.0 ransomware affiliated were exploiting the vulnerability. Boeing was the organization that shared IOCs.

Risky Business News, a newsletter I highly recommend, has more resources and details on the fallout of the vulnerability including insights from GreyNoise, KryptoKloud, Kevin Beaumont, and The Shadowserver Foundation.

Make sure to patch all the things. If you need consulting services around tackling patch management and vulnerability management click the Contact button below and reach out.