A crucial vulnerability tracked as CVE-2023-4966 in Citrix NetScaler ADC/Gateway units has been actively exploited as a zero-day since late August, safety researchers introduced.
The safety subject is an data disclosure and acquired a repair final week. It permits attackers to entry secrets and techniques in home equipment configured as gateways of authentication, authorization, and accounting (AAA) digital servers.
In a safety bulletin on October 10 with few technical particulars, Citrix strongly urged clients to put in the out there replace with out delay.
A report from Mandiant disclosed that it discovered indicators of CVE-2023-4966 being exploited within the wild since August for stealing authentication periods and hijacking accounts.
“Mandiant has recognized zero-day exploitation of this vulnerability within the wild starting in late August 2023,” says the cybersecurity firm.
“Profitable exploitation may consequence within the capacity to hijack present authenticated periods, subsequently bypassing multifactor authentication or different robust authentication necessities” – Mandiant
The corporate additionally warns that hijacked periods persist even after putting in the safety replace. Relying on the permissions of the hijacked account, the attackers might leverage the strategy to maneuver laterally or to breach extra accounts.
Safety researchers noticed CVE-2023-4966 being exploited for entry on infrastructure belonging to authorities organizations and expertise corporations.
Fixing and mitigation
Other than making use of the patch from Citrix, Mandiant printed a doc with extra remediation suggestions for NetScaler ADC/Gateway directors with the next options:
- Prohibit ingress IP addresses if rapid patching is not possible.
- Terminate all periods post-upgrade and run the CLI command: clear lb persistentSessions <vServer>.
- Rotate credentials for identities accessing susceptible home equipment.
- If suspicious exercise is detected, particularly with single-factor authentication, rotate a broader scope of credentials.
- For detected internet shells or backdoors, rebuild home equipment with the most recent clean-source picture.
- If restoring from backup, guarantee no backdoors are within the backup configuration.
- Restrict exterior assault publicity by proscribing ingress to trusted IPs.
Additionally, upgrading the home equipment to the next firmware variations needs to be prioritized:
- NetScaler ADC and NetScaler Gateway 14.1-8.50 and later
- NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1
- NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0
- NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS
- NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS
- NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NdcPP
That is the second zero-day flaw Citrix fixes in its merchandise this yr. A earlier one, recognized as CVE-2023-3519, was exploited within the wild in early July and acquired a repair a number of of weeks later.
