A just lately patched critical-severity vulnerability in Citrix NetScaler Software Supply Controller (ADC) and NetScaler Gateway had been exploited as a zero-day since August, Google’s Mandiant cybersecurity unit stories.
The difficulty, tracked as CVE-2023-4966 (CVSS rating of 9.4), might be exploited with out authentication to leak delicate info from on-prem home equipment which can be configured as a Gateway or an AAA digital server.
Citrix introduced patches for this and a high-severity vulnerability in NetScaler ADC and Gateway on October 10, however made no point out of potential exploitation.
On Tuesday, nevertheless, the tech large up to date its advisory to warn prospects of noticed in-the-wild exploitation of CVE-2023-4966 and urge them to replace their situations as quickly as doable.
The flaw was addressed in NetScaler ADC and NetScaler Gateway variations 14.1-8.50, 13.1-49.15, and 13.0-92.19, and in NetScaler ADC variations 13.1-FIPS 13.1-37.164, 12.1-FIPS 12.1-55.300, and 12.1-NDcPP 12.1-55.300.
Additionally on Tuesday, Mandiant warned that the vulnerability had been exploited since August, in assaults concentrating on authorities, skilled providers, and know-how organizations.
Profitable exploitation of the bug might enable an attacker to hijack present authenticated periods, bypassing stronger authentication strategies, resembling multifactor authentication.
“These periods could persist after the replace to mitigate CVE-2023-4966 has been deployed. Moreover, we’ve got noticed session hijacking the place session knowledge was stolen previous to the patch deployment, and subsequently utilized by a menace actor,” Mandiant warns.
Primarily based on the permissions and scope of entry of the session, the hijacking might present attackers with additional downstream entry, permitting them to reap credentials, transfer laterally, and entry further assets throughout the compromised setting.
In a remediation information (PDF), Mandiant recommends isolating the NetScaler ADC and Gateway situations in preparation for patching, proscribing entry to unpatched home equipment, updating the home equipment, terminating all energetic periods after the replace, and scanning the home equipment for malicious exercise, backdoors, and internet shells.
“As a result of lack of accessible log data or different artifacts of exploitation exercise, as a precaution, organizations ought to take into account rotating credentials for identities that had been provisioned for accessing assets by way of a weak NetScaler ADC or Gateway equipment,” Mandiant notes.
The cybersecurity agency recommends rebuilding contaminated home equipment from clear photographs, rotating credentials if single issue authentication distant entry is allowed, and proscribing ingress entry to solely trusted or predefined supply IP deal with ranges.
“Though this isn’t a distant code execution vulnerability, please prioritize the deployment of this patch given the energetic exploitation and vulnerability criticality,” Mandiant CTO Charles Carmakal says.
