Citrix is warning of exploitation of a just lately disclosed essential safety flaw in NetScaler ADC and Gateway home equipment that might lead to publicity of delicate info.
Tracked as CVE-2023-4966 (CVSS rating: 9.4), the vulnerability impacts the next supported variations –
- NetScaler ADC and NetScaler Gateway 14.1 earlier than 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 earlier than 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 earlier than 13.0-92.19
- NetScaler ADC and NetScaler Gateway 12.1 (presently end-of-life)
- NetScaler ADC 13.1-FIPS earlier than 13.1-37.164
- NetScaler ADC 12.1-FIPS earlier than 12.1-55.300, and
- NetScaler ADC 12.1-NDcPP earlier than 12.1-55.300
Nevertheless, for exploitation to happen, it requires the system to be configured as a Gateway (VPN digital server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) digital server.
Whereas patches for the flaw have been launched on October 10, 2023, Citrix has now revised the advisory to notice that “exploits of CVE-2023-4966 on unmitigated home equipment have been noticed.”
Google-owned Mandiant, in its personal alert revealed Tuesday, mentioned it recognized zero-day exploitation of the vulnerability within the wild starting in late August 2023.
“Profitable exploitation may consequence within the capacity to hijack current authenticated periods, subsequently bypassing multi-factor authentication or different sturdy authentication necessities,” the menace intelligence agency mentioned.
“These periods could persist after the replace to mitigate CVE-2023-4966 has been deployed.”
Mandiant additionally mentioned it detected session hijacking the place session information was stolen earlier than the patch deployment, and subsequently utilized by an unspecified menace actor.
“The authenticated session hijacking may then lead to additional downstream entry primarily based upon the permissions and scope of entry that the identification or session was permitted,” it additional added.
“A menace actor may make the most of this technique to reap extra credentials, laterally pivot, and acquire entry to extra assets inside an atmosphere.”
The menace actor behind the assaults has not been decided, however the marketing campaign is alleged to have focused skilled companies, expertise, and authorities organizations.
In mild of lively abuse of the flaw and with Citrix bugs turning into a lightning rod for menace actors, it is crucial that customers transfer shortly to replace their situations to the newest model to mitigate potential threats.
“Organizations have to do extra than simply apply the patch – they need to additionally terminate all lively periods,” Mandiant CTO Charles Carmakal mentioned. “Though this isn’t a distant code execution vulnerability, please prioritize the deployment of this patch given the lively exploitation and vulnerability criticality.”
