Executive Summary
Citrix Bleed, a critical vulnerability, has compromised approximately 20,000 devices. Hackers are actively exploiting this vulnerability despite a patch available for three weeks. It has allowed them to bypass multifactor authentication and gain access to enterprise networks. The vulnerability, has a CVSS score of 9.4 and posing a significant threat. It can disclose sensitive information, including session tokens, on affected devices. This exploit affects Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway and has been under active exploitation since August.
With an estimated 20,000 devices already compromised and active exploitation of this vulnerability, organisations must act swiftly to protect their networks and sensitive information.
About the Vulnerability
Commonly referred to as, Citrix Bleed, is a critical information disclosure vulnerability (CVE-2023-4966). It resides in Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway hardware.
It enables attackers to bypass multifactor authentication and access enterprise networks. This vulnerability has garnered a CVSS score of 9.4 due to its potential impact on session tokens, which are assigned to devices that have already successfully provided credentials, including those using multifactor authentication. Despite a patch release by Citrix on October 10, attacks have escalated. There is an estimated 20,000 instances of exploited Citrix devices already identified. The vulnerability is relatively easy for experienced attackers to exploit, with proof-of-concept exploits readily available.
Additionally, please note that the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities Catalog in October.
Recommendations
In response to this critical situation, organisations are strongly advised to take the following actions:
- Apply the Patch: Immediately apply the patch released by Citrix to address CVE-2023-4966 on all affected devices.
- Change Credentials: Change all credentials of compromised Netscaler devices. It will invalidate potentially leaked session tokens.
- Inspect for Compromise: Thoroughly inspect your devices and infrastructure for signs of compromise.
For detailed security guidance, please refer to Mandiant’s in-depth recommendations here.
- Urgent Patch: VMware Escapade Flaws Addressed
- What We Have Learned from MOVEit Attacks
- [CVSS 8+] Zero-Days Hit Citrix Netscaler Again
- [CVSS 9+] F5 Warns of Critical BIG-IP Vulnerability
- Continued MOVEit Data Breach: 3+ Million Individuals Affected
- LastPass Users Who Stored Cryptocurrency Seed Phrases Urged to Take Action