Citrix Bleed Exploit Lets Hackers Hijack NetScaler Accounts

Cyber Security Threat Summary:
A proof-of-concept (PoC) exploit is released for the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances. CVE-2023-4966 is a critical-severity remotely exploitable information disclosure flaw Citrix fixed on October 10 without providing many details. On October 17, Mandiant revealed that the flaw was abused as a zero-day in limited attacks since late August 2023.

This week, Citrix issued a warning to administrators urging them to patch the flaw immediately as the rate of exploitations was growing. Today, researchers from Assetnote published a proof of concept (PoC) for the vulnerability on GutHub to demonstrate their findings and help organizations test their exposure.

Security Officer Comments:
CVE-2023-4966 is a unauthenticated buffer-related vulnerability which impacts Citrix NetScaler ADC and NetScaler Gateway. These are network devices used for load balancing, firewall implementation, traffic management, VPN, and user authentication.

Assetnote was able to compare the unpatched versions with the recently released patch to determine where the vulnerability likely resided. In total, the researchers found 50 function changes in the update. Two of the functions contained additional bounds checks. The vulnerability emerges from the return value of the snprintf function, which can lead to a buffer over-read if exploited. The patched version ensures that a response will only be sent if snprintf returns a value lower than 0x20000.

Assetnote was able to exploit the vulnerability by exceeding the buffer limit and consistently located a 32-65 byte long hex string that is a session cookie. Retrieving that cookie makes it possible for attackers to hijack accounts and gain unrestricted access to vulnerable appliances.

Suggested Correction(s):
Now that a CVE-2023-4966 exploit is publicly available, it is expected that threat actors will increase their targeting of Citrix Netscaler devices to gain initial access to corporate networks. As these types of vulnerabilities are commonly used for ransomware and data theft attacks, it is strongly advised that system administrators immediately deploy patches to resolve the flaw.