A critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway has been actively exploited since August, according to a warning from cybersecurity firm Mandiant. The company disclosed in a blog post that it observed zero-day exploitation of the vulnerability beginning in late August against technology and government organizations. These threat actors also exhibited multifactor authentication (MFA) bypass techniques, which will require additional actions from enterprises to defend against.
The vulnerability in question, tracked as CVE-2023-4966, is a sensitive information disclosure flaw that received a CVSS score of 9.4. Successful exploitation of this vulnerability could allow attackers to hijack existing authenticated sessions, bypassing multifactor authentication or other strong authentication requirements. This is a concerning development, as identity-based attacks that bypass MFA protocols have been on the rise and have seen a high level of success. Recent attacks against Las Vegas casinos serve as a testament to the effectiveness of these tactics.
Mandiant highlighted that sessions may persist after the update to mitigate CVE-2023-4966, even after the patch has been deployed. The company also observed instances of session hijacking, where session data was stolen prior to the patch deployment and subsequently used by threat actors. This authenticated session hijacking could then lead to further downstream access based on the permissions and scope of access granted to the compromised identity or session.
Moreover, an attacker could use this vulnerability to harvest credentials or gain access to additional resources within a victim environment. As a response to the ongoing threats, Citrix updated its initial security bulletin with an active exploitation warning. Mandiant’s CTO, Charles Carmakal, also addressed the situation, urging users to prioritize patching given the active exploitation and vulnerability criticality. He emphasized the need for organizations to terminate all active sessions, even after applying the patch, to prevent threat actors from using stolen session data to authenticate to resources.
The identity of the threat actors behind these exploits is currently unknown, but Mandiant is assessing potential cyberespionage motives. However, Carmakal warned that other threat actors with financial motivations may also seek to exploit this vulnerability in the future. The exact discovery process of CVE-2023-4966 remains unclear, as Citrix’s advisory does not credit any party for reporting the vulnerability.
This is not the first time that Citrix NetScaler ADC and NetScaler Gateway have been targeted. In July, Citrix warned about another unauthenticated remote code execution vulnerability, tracked as CVE-2023-3519, which was being exploited in the wild. This vulnerability had a CVSS score of 9.8 and targeted unmitigated ADC and Gateway products. The July security bulletin also noted that NetScaler ADC and NetScaler Gateway version 12.1 were considered end of life (EOL). Enterprises often face challenges when it comes to retiring legacy and EOL products, which can create additional security risks.
In conclusion, the active exploitation of the critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway has raised concerns among cybersecurity experts. The ongoing threat of multifactor authentication bypass techniques highlights the need for organizations to take additional actions beyond patching to defend against these attacks. It is essential for enterprises to prioritize patching, terminate active sessions, and remain vigilant against potential MFA bypass attacks. Failure to do so could result in identity-based attacks, data breaches, and unauthorized access to critical resources.