The BSI has issued a critical warning about a CVSS 9.4 vulnerability for the products Citrix NetScaler Application Delivery Controller and NetScaler Gateway. The vulnerability gives attackers access to sensitive information without authentication. According to specialist Mandiant, the vulnerability has been exploited for a long time.
According to the BSI, the manufacturer Citrix published an advisory on vulnerabilities in the products NetScaler Application Delivery Controller (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).. The one critical vulnerability is listed under the number CVE-2023-4966 according to Common Vulnerabilities and Exposures (CVE) and given a score of 9.4 (“critical”) according to CVSS. The vulnerability allows attackers to disclose sensitive information without authentication. This makes it possible to take over authenticated sessions (“session hijacking”) and bypass multifactor authentication (MFA) or other authentication means.
Full access possible without authentication
The IT security company Mandiant published a blog post on October 17th. This states that a first exploitation of the CVE-2023-4966 vulnerability was identified, which took place at the end of August 2023.
Attackers can use authenticated sessions to collect additional access data and thus potentially gain higher rights and spread them throughout the system and network. Exploitation has been observed by Mandiant in professional services and technology companies as well as government organizations.
Affected systems and versions
The vulnerabilities affect all NetScaler ADC and gateway systems that have been configured as a gateway (VPN Virtual Server, ICA Proxy, CVPN, RDP Proxy) or AAA Virtual Server and have the following patch versions:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
Important: NetScaler ADC and NetScaler Gateway Version 12.1 have already reached End-of-Life (EOL) and therefore will not receive any patches despite their vulnerability!
BSI best practice
It is recommended to exchange all connected access data that is related to the NetScaler instance. Due to the lack of log entries that could indicate exploitation, it cannot be detected on the NetScaler systems. If suspicious activity is observed on the network, the access data should be exchanged as quickly as possible, especially if there is access to the systems with suspicious activity from the Internet.
NetScaler ADCs or NetScaler Gateways on which WebShells or other backdoors were found should be reinstalled using a source image; any backups that can be imported should be checked for a backdoor that already contains them. If there is a Web Application Firewall (WAF) or other systems in front of the NetScaler system that logs URL requests, these can be examined for many requests from suspicious sources (IPs).
More at BSI.Bund.de
About the Federal Office for Information Security (BSI) The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.