A crucial vulnerability tracked as CVE-2023-4966 in Citrix NetScaler ADC/Gateway units has been actively exploited as a zero-day since late August, security researchers introduced.
The security problem is an info disclosure and obtained a repair final week. It permits attackers to entry secrets and techniques in home equipment configured as gateways of authentication, authorization, and accounting (AAA) digital servers.
In a security bulletin on October 10 with few technical particulars, Citrix strongly urged clients to put in the out there replace with out delay.
A report from Mandiant disclosed that it discovered indicators of CVE-2023-4966 being exploited within the wild since August for stealing authentication periods and hijacking accounts.
“Mandiant has recognized zero-day exploitation of this vulnerability within the wild starting in late August 2023,” says the cybersecurity firm.
“Profitable exploitation might end result within the means to hijack current authenticated periods, subsequently bypassing multifactor authentication or different sturdy authentication necessities” – Mandiant
The corporate additionally warns that hijacked periods persist even after putting in the security replace. Relying on the permissions of the hijacked account, the attackers could leverage the strategy to maneuver laterally or to breach extra accounts.
Safety researchers noticed CVE-2023-4966 being exploited for entry on infrastructure belonging to authorities organizations and expertise firms.
Fixing and mitigation
Other than making use of the patch from Citrix, Mandiant printed a doc with extra remediation suggestions for NetScaler ADC/Gateway directors with the next options:
- Limit ingress IP addresses if fast patching is not possible.
- Terminate all periods post-upgrade and run the CLI command: clear lb persistentSessions <vServer>.
- Rotate credentials for identities accessing weak home equipment.
- If suspicious exercise is detected, particularly with single-factor authentication, rotate a broader scope of credentials.
- For detected internet shells or backdoors, rebuild home equipment with the newest clean-source picture.
- If restoring from backup, guarantee no backdoors are within the backup configuration.
- Restrict exterior assault publicity by limiting ingress to trusted IPs.
Additionally, upgrading the home equipment to the next firmware variations must be prioritized:
- NetScaler ADC and NetScaler Gateway 14.1-8.50 and later
- NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
- NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NdcPP
That is the second zero-day flaw Citrix fixes in its merchandise this 12 months. A earlier one, recognized as CVE-2023-3519, was exploited within the wild in early July and obtained a repair a couple of of weeks later.
