Threat actors are exploiting a recently disclosed vulnerability in Citrix Netscaler ADC and Gateway appliances in order to target professional services, technology and government organizations.
The critical-severity flaw (CVE-2023-4966) was first disclosed by Citrix on Oct. 10, when the company released patches. Mandiant researchers on Tuesday said that they identified zero-day exploitation of the flaw in the wild starting in late August; additionally, Citrix updated its advisory on Tuesday to state that exploits have been observed. According to Citrix, the flaw stems from an unauthenticated buffer-related issue and could enable sensitive information disclosure.
“Successful exploitation could result in the ability to hijack existing authenticated sessions, therefore bypassing multi-factor authentication or other strong authentication requirements,” according to Mandiant researchers in a Tuesday alert. “These sessions may persist after the update to mitigate CVE-2023-4966 has been deployed. Additionally, we have observed session hijacking where session data was stolen prior to the patch deployment, and subsequently used by a threat actor.”
Depending on the permissions and scope of access allowed by the identity or session, the authenticated session hijacking could give threat actors further downstream access, said Mandiant researchers.
“A threat actor could utilize this method to harvest additional credentials, laterally pivot, and gain access to additional resources within an environment,” they said.
Various versions are impacted by the flaw, including NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50, NetScaler ADC and NetScaler, Gateway 13.1 before 13.1-49.15, NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19, NetScaler ADC 13.1-FIPS before 13.1-37.164, NetScaler ADC 12.1-FIPS before 12.1-55.300 and NetScaler ADC 12.1-NDcPP before 12.1-55.300.
Both Citrix and Mandiant researchers urged companies using impacted product versions to update as soon as possible, with Mandiant releasing a guide on Tuesday outlining additional steps for remediating and reducing risks that are related to the flaw. If organizations can’t immediately apply patches, Mandiant researchers recommended they enforce ingress IP address restrictions to limit any potential exposure and attack surface until they can do so. Given that sessions may persist after patches have been deployed, researchers also recommended that organizations terminate all active and persistent sessions post-patch deployment and outlined steps for investigating any potential malicious activity.
"To date, Mandiant has not identified any available logs or other artifacts resident on NetScaler appliances that record evidence of exploitation," said researchers.
Security flaws in Netscaler ADC and Gateway appliances, part of Citrix’s line of networking products, have previously been targeted by threat actors. A remote code execution flaw (CVE-2023-3519) in Netscaler ADC and Gateway made waves earlier this year, with three separate threat actors leveraging the bug in their campaigns.