Vulnerabilities and Threats (Corvus Alerts)
      Back to home
      1. Knowledge Nest
      2. Cybersecurity Tips + Vulnerability Alerts
      3. Vulnerabilities and Threats (Corvus Alerts)

      NetScaler Vulnerability Advisory | October 2023

      There's a critical vulnerability in NetScaler Gateway and NetScaler ADC products under active exploitation. Here's what you need to know.

      November Update:

      Threat actors have begun exploiting this vulnerability (now named Citrix Bleed) to deploy ransomware. If your organization has not already updated to a fixed version, we recommend doing so immediately and checking for any indicators of compromise (IOC's).

      Background

      Citrix released an advisory detailing a critical security flaw in NetScaler Gateway (formerly Citrix Gateway) and NetScaler ADC (formerly Citrix Application Delivery Controller). NetScaler Gateway is commonly used as a remote access solution and NetScaler ADC is a networking appliance for web applications. The security flaw (CVE-2023-4966) allows a remote attacker to bypass password and MFA requirements to hijack legitimate user sessions. A security patch has been released and should be applied immediately.

      The vulnerability affects the following products and versions:

      • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
      • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
      • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
      • NetScaler ADC 13.1-FIPS before 13.1-37.164
      • NetScaler ADC 12.1-FIPS before 12.1-55.300
      • NetScaler ADC 12.1-NDcPP before 12.1-55.300

      Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable.

      This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

      Impact

      Without a security patch, remote attackers are hijacking legitimate user sessions, bypassing password and MFA requirements. After taking over a session, attackers are able to acquire elevated privileges, harvest credentials, move laterally, and access additional data and resources. These attacks are already taking place and result in ransomware being deployed across organizations.

      Next steps for Citrix customers:

      1. Upgrade to a non-vulnerable version of ADC or Gateway as soon as possible:
        • NetScaler ADC and NetScaler Gateway 14.1-8.50  and later releases
        • NetScaler ADC and NetScaler Gateway  13.1-49.15  and later releases of 13.1
        • NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0  
        • NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS  
        • NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS  
        • NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP
        Note: Please note that Citrix ADC and Citrix Gateway versions prior to 12.1 are End of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

      2. If you have not already updated, then we now recommend checking for indicators of compromise after you do update, as it's possible there could have already been malicious activity. See here for a non-exhaustive IOC list.

      Resources

      https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

      https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a