Citrix urges 'immediate; patch for critical NetScaler bug as exploit POC made public

Trending 1 month ago

Citrix has urged admins to "immediately" use a hole for CVE-2023-4966, a captious accusation disclosure bug that affects NetScaler ADC and NetScaler Gateway, admitting it has been exploited.

Plus, there's a proof-of-concept exploit, dubbed Citrix Bleed, now connected GitHub. So if you are utilizing an affected build, astatine this constituent presume you've been compromised, use nan update, and past termination each progressive sessions per Citrix's proposal from Monday.

The company's first issued a patch for compromised devices connected October 10, and past week Mandiant warned that criminals — astir apt cyberspies — have been abusing this hole to hijack authentication sessions and bargain firm info since astatine slightest precocious August. 

Six days aft nan Google-owned threat intel patient sounded nan alarm, Citrix weighed in. 

"If you are utilizing affected builds and person configured NetScaler ADC arsenic a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) aliases arsenic an AAA virtual server, we powerfully urge that you instantly install nan recommended builds," nan vendor said successful a Cloud Software Group blog station astir CVE-2023-4966 published connected Monday.

"We now person reports of incidents accordant pinch convention hijacking, and person received reliable reports of targeted attacks exploiting this vulnerability," Citrix added.

Oddly, Citrix didn't merchandise immoderate further specifications astir these targeted attacks, which Mandiant past week said were utilized to deed tech firms, authorities organizations, and master services companies.

  • Critical Citrix bug exploited by information thieves weeks earlier being patched
  • It's 2023 and Microsoft WordPad tin beryllium exploited to hijack susceptible systems
  • Cisco fixes captious IOS XE bug but malware unit measurement up of them
  • 1Password confirms attacker tried to propulsion database of admin users aft Okta intrusion

A Citrix spokesperson declined to remark connected really galore organizations person been compromised, and who aliases what nan criminals are targeting successful nan attacks.

"The information bulletin and blog are nan grade of our outer statements astatine this time," nan Citrix spokesperson told The Register.

Also past week, Mandiant Consulting CTO Charles Carmakal warned that "organizations request to do much than conscionable use nan spot — they should besides terminate each progressive sessions. These authenticated sessions will persist aft nan update to mitigate CVE-2023-4966 has been deployed." 

Citrix, successful nan Monday blog, besides echoed this mitigation proposal and told customers to termination each progressive and persistent sessions utilizing nan pursuing commands:

kill icaconnection -all

kill rdp relationship -all

kill pcoipConnection -all

kill aaa convention -all

clear lb persistentSessions

The US Cybersecurity and Infrastructure Security Agency (CISA) past Wednesday added CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, and classified nan bug arsenic "unknown" successful nan "used successful ransomware campaigns" column. The summation intends national agencies, and those that do business pinch them, should person this 1 fixed sharpish.

While nan attacks to day are much apt linked to snooping campaigns, "we expect different threat actors pinch financial motivations will utilization this complete time," Carmakal said previously. But let's look it, they usually do. ®