Citrix warned admins coming to unafraid each NetScaler ADC and Gateway appliances instantly against ongoing attacks exploiting nan CVE-2023-4966 vulnerability.
The institution patched this captious delicate accusation disclosure flaw (tracked arsenic CVE-2023-4966) 2 weeks ago, assigning it a 9.4/10 severity standing arsenic it's remotely exploitable by unauthenticated attackers successful low-complexity attacks that don't require personification interaction.
NetScaler appliances must beryllium configured arsenic a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) aliases an AAA virtual server to beryllium susceptible to attacks.
While nan institution had nary grounds nan vulnerability was being exploited successful nan chaotic erstwhile nan hole was released, ongoing exploitation was disclosed by Mandiant 1 week later.
The cybersecurity institution said threat actors had been exploiting CVE-2023-4966 arsenic a zero-day since precocious August 2023 to bargain authentication sessions and hijack accounts, which could thief nan attackers bypass multifactor authentication aliases different beardown auth requirements.
Mandiant cautioned that compromised sessions persist moreover aft patching and, depending connected nan compromised accounts' permissions, attackers could move laterally crossed nan web aliases discuss different accounts.
Additionally, Mandiant recovered instances wherever CVE-2023-4966 was exploited to infiltrate nan infrastructure of authorities entities and exertion corporations.
Admins urged to unafraid systems against ongoing attacks
"We now person reports of incidents accordant pinch convention hijacking, and person received reliable reports of targeted attacks exploiting this vulnerability," Citrix warned today.
"If you are utilizing affected builds and person configured NetScaler ADC arsenic a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) aliases arsenic an AAA virtual server, we powerfully urge that you instantly instal nan recommended builds because this vulnerability has been identified arsenic critical."
Citrix added that it's "unable to supply forensic study to find if a strategy whitethorn person been compromised."
Also, Citrix recommends sidesplitting each progressive and persistent sessions utilizing nan pursuing commands:kill icaconnection -all kill rdp relationship -all kill pcoipConnection -all kill aaa convention -all clear lb persistentSessions
NetScaler ADC and NetScaler Gateway devices, erstwhile not group up arsenic gateways (including VPN virtual server, ICA proxy, CVPN, aliases RDP proxy) aliases arsenic AAA virtual servers (typical load balancing configurations, for instance), are not susceptible to CVE-2023-4966 attacks.
This besides includes products for illustration NetScaler Application Delivery Management (ADM) and Citrix SD-WAN, arsenic Citrix confirmed.
Last Thursday, CISA added CVE-2023-4966 to its Known Exploited and Vulnerabilities Catalog, ordering national agencies to unafraid their systems against progressive exploitation by November 8.