Citrix Bleed exploit lets hackers hijack NetScaler accounts

A proof-of-concept (PoC) utilization is released for nan 'Citrix Bleed' vulnerability, tracked arsenic CVE-2023-4966, that allows attackers to retrieve authentication convention cookies from susceptible Citrix NetScaler ADC and NetScaler Gateway appliances.

CVE-2023-4966 is simply a critical-severity remotely exploitable accusation disclosure flaw Citrix fixed connected October 10 without providing galore details.

On October 17, Mandiant revealed that nan flaw was abused arsenic a zero-day successful constricted attacks since precocious August 2023.

This Monday, Citrix issued a subsequent warning to administrators of NetScaler ADC and Gateway appliances, urging them to spot nan flaw immediately, arsenic nan complaint of exploitation has started to prime up.

Today, researchers astatine Assetnote shared much specifications astir nan exploitation method of CVE-2023-4966 and published a PoC utilization connected GitHub to show their findings and thief those who want to trial for exposure.

The Citrix Bleed flaw

The CVE-2023-4966 Citrix Bleed flaw is an unauthenticated buffer-related vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway, web devices utilized for load balancing, firewall implementation, postulation management, VPN, and personification authentication.

By analyzing nan unpatched (13.1-48.47) and patched versions (13.1-49.15) of NetScaler, Assetnote recovered 50 usability changes.

Among these functions, nan researchers recovered 2 ('ns_aaa_oauth_send_openid_config' and 'ns_aaa_oauthrp_send_openid_config') that featured further bounds checks preceding nan procreation of a response.

These functions usage 'snprintf' to insert nan due information into nan generated JSON payload for nan OpenID configuration. In nan pre-patch version, nan consequence is sent instantly without checks.

The vulnerability emerges from nan return worth of nan snprintf function, which tin lead to a buffer over-read if exploited.

The patched type ensures that a consequence will only beryllium sent if snprintf returns a worth little than 0x20000.

Snatching convention tokens

Armed pinch that knowledge, Assetnote's analysts attempted to utilization susceptible NetScaler endpoints.

During that process, they recovered that nan hostname worth utilized for generating nan payload comes from nan HTTP Host header, truthful 1 does not request administrator authorities to entree it.

Furthermore, nan hostname is inserted into nan payload six times. Hence, its exploitation makes it imaginable to transcend nan buffer limit, forcing nan endpoint to respond pinch nan buffer's contents and adjacent memory.

"We could intelligibly spot a batch of leaked representation instantly pursuing nan JSON payload," explains Assetnote successful nan report.

"While a batch of it was null bytes, location was immoderate suspicious-looking accusation successful nan response."

Response leaking delicate info (Assetnote)

By exploiting nan vulnerability thousands of times for testing, nan analysts consistently located a 32-65 byte agelong hex drawstring that is simply a convention cookie.

Retrieving that cooky makes it imaginable for attackers to hijack accounts and summation unrestricted entree to susceptible appliances.

Now that a CVE-2023-4966 utilization is publically available, it is expected that threat actors will summation their targeting of Citrix Netscaler devices to summation first entree to firm networks.

Threat monitoring service Shadowserver reports spikes of exploitation attempts pursuing nan publication of Assetnote's PoC, truthful nan malicious activity has already started.

As these types of vulnerabilities are commonly utilized for ransomware and information theft attacks, it is powerfully advised that strategy administrators instantly deploy patches to resoluteness nan flaw.