Citrix warned admins right this moment to safe all NetScaler ADC and Gateway home equipment instantly towards ongoing assaults exploiting the CVE-2023-4966 vulnerability.
The corporate patched this crucial delicate data disclosure flaw (tracked as CVE-2023-4966) two weeks in the past, assigning it a 9.4/10 severity ranking because it’s remotely exploitable by unauthenticated attackers in low-complexity assaults that do not require consumer interplay.
NetScaler home equipment should be configured as a Gateway (VPN digital server, ICA Proxy, CVPN, RDP Proxy) or an AAA digital server to be weak to assaults.
Whereas the corporate had no proof the vulnerability was being exploited within the wild when the repair was launched, ongoing exploitation was disclosed by Mandiant one week later.
The cybersecurity firm mentioned risk actors had been exploiting CVE-2023-4966 as a zero-day since late August 2023 to steal authentication periods and hijack accounts, which may assist the attackers bypass multifactor authentication or different robust auth necessities.
Mandiant cautioned that compromised periods persist even after patching and, relying on the compromised accounts’ permissions, attackers may transfer laterally throughout the community or compromise different accounts.
Moreover, Mandiant discovered cases the place CVE-2023-4966 was exploited to infiltrate the infrastructure of presidency entities and expertise companies.
Admins urged to safe techniques towards ongoing assaults
“We now have experiences of incidents according to session hijacking, and have obtained credible experiences of focused assaults exploiting this vulnerability,” Citrix warned right this moment.
“If you’re utilizing affected builds and have configured NetScaler ADC as a gateway (VPN digital server, ICA proxy, CVPN, RDP proxy) or as an AAA digital server, we strongly advocate that you simply instantly set up the advisable builds as a result of this vulnerability has been recognized as crucial.”
Citrix added that it is “unable to supply forensic evaluation to find out if a system might have been compromised.”
Additionally, Citrix recommends killing all energetic and chronic periods utilizing the next instructions:
kill icaconnection -all
kill rdp connection -all
kill pcoipConnection -all
kill aaa session -all
clear lb persistentSessionsNetScaler ADC and NetScaler Gateway units, when not arrange as gateways (together with VPN digital server, ICA proxy, CVPN, or RDP proxy) or as AAA digital servers (typical load balancing configurations, as an example), usually are not weak to CVE-2023-4966 assaults.
This additionally contains merchandise like NetScaler Utility Supply Administration (ADM) and Citrix SD-WAN, as Citrix confirmed.
Final Thursday, CISA added CVE-2023-4966 to its Recognized Exploited and Vulnerabilities Catalog, ordering federal businesses to safe their techniques towards energetic exploitation by November 8.
