This bulletin addresses the recently disclosed CRITICAL risk vulnerability present in Citrix NetScaler ADC and NetScaler Gateway appliances.
Although this vulnerability was patched in early October, the Triskele Labs Digital Forensics and Incident Response (DFIR) team have recently observed mass exploitation of this vulnerability, often allowing Threat Actors to gain Initial Access to networks, which can lead to subsequent attacks such as Ransomware and Data Theft.
Cyber security leaders such as Mandiant and Rapid7 have observed active exploitation of this vulnerability in the wild, dating as far back as late August 2023.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added an entry for CVE-2023-4966 to its Known Exploited and Vulnerabilities (KEV) list in October with a patch-by date of 08 November 2023, as they have also observed active and broad exploitation of this vulnerability.
Triskele Labs advises that all organisations follow the remediation steps outlined in the subsequent sections and verify the mitigation of this vulnerability as a priority.
On 10 October 2023, Citrix published a vulnerability disclosure impacting several versions of NetScaler ADC and NetScaler Gateway, as listed below:
NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
NetScaler ADC 13.1-FIPS before 13.1-37.164
NetScaler ADC 12.1-FIPS before 12.1-55.300
NetScaler ADC 12.1-NDcPP before 12.1-55.300
Following this disclosure, on 25 October 2023, a Proof-Of-Concept (POC) was released by security researchers at AssetNote detailing the method used to extract session tokens from the affected devices. The Triskele Labs DFIR team has noted that due to the public availability of a POC, this method of exploitation has low complexity.
Additionally, the DFIR team has repeatedly observed Threat Actors exploiting this vulnerability to collect session tokens over time.
This Threat Actor behaviour is highly concerning, as it means that even after applying the patch provided by Citrix and rebooting the system, the compromised session tokens persist, which allows bypassing the need for login credentials and Multi-Factor Authentication (MFA) stages.
Triskele Labs recommends upgrading to the latest NetScaler firmware version immediately to ensure permanent mitigation as a priority.
These updates should be conducted after isolating the appliance to limit their exposure. If an organisation is utilising any affected versions of NetScaler, Triskele Labs strongly recommends conducting a Threat Hunt both on the NetScaler device and on connected internal systems to look for evidence of exploitation, such as web shells, backdoors, C2 beacons and other persistence mechanisms.
Additionally, all active and persistent sessions should be terminated to ensure that the extracted session tokens are not viable for Threat Actors.
Mandiant has provided the following steps to terminate these sessions:
Connect to the Citrix NetScaler appliance using the CLI.
To terminate all active sessions, run the following command:
kill aaa session -all
To clear persistent sessions across NetScaler load balancers, run the following command (where <vServer> is the name of the virtual server/appliance):
clear lb persistentSessions <vServer>
To clear existing ICA sessions, run the following command:
kill icaconnection -all
Organisations can assess their assets for this vulnerability by running the curl-based commands that security researcher Kevin Beaumont has provided at:
Organisations can also check HTTP logs for POST requests to the following endpoint as an indicator of potential exploitation:
Triskele Labs strongly recommends that affected organisations reset any credentials for user identities that can access resources through the NetScaler Gateway.
Triskele Labs customers with DefenceShield Assess (our Vulnerability Scanning service) are being monitored for vulnerable appliances. All customers with our Monitor (our 24x7x365 SIEM) are - as always - being monitored for Indicators of Compromise (IOCs) related to this event and any other suspicious activity.
References used for the generation of this release: